Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

kebi-Webmail Solution vulnerability (Tested)

From: Secret <sale2001 () orgio net>
Date: 8 Dec 2001 00:14:20 -0000


kebi-Webmail Solution vulnerability (Tested)
by secret (e-mail: sale2001 () orgio net )


Summary : 
Get webmail server's admin competence by remote 
attack in kebi-Webmail Solution.


Platform:
        Attacker platform : 
        All Operating Systems + Web browser


        Target platform:
        All kebi Webmail solution loading server
        (kebi enterprise version(KEV) )
        (kebi Academy verseion (KAV)  )


Description:
When establish kebi webmail server's basis, there is 
hidden directory that connect to administrator menu.
Here is place that it is not known on outside.
There is no competence certification here to be 
http://target/a/ here justly!
Because most systems that a wisdom a 
administrator a person who quote web here is but 
uses Kebimail server are exposed without 
certification, the mailserver user's personal 
information & E-Mail's contents inspection is available 
all and access is possible to user's homepage 
contents if use to homepage spaceassignment 
function.
Almost all administrator functions by simple exploit to 
get available but, perfect administrator competence 
to the Webmail Server user account make and can 
get perfect administrator competence if put exploit to 
(free e-mail accountapplication possibility) web 
browser.


exploits : http://mail.sample_target.com/a/

If server who is using kebi webmail solution is 
mail.sample_target.com:
Attack is http:// mail.sample_target.com/a/input in 
web browser url form


Solution : 
Prevent that rob webmail server administrator 
competence to gouge by externalattacker using web 
certification (.htaccess,etc....) to 
http://webmail_server_URL/a/


comment : 
Use kebi webmail solution in many place (research 
institute, school, the company, and so on).Read this 
document and secure, and it wished to become big 
help also.


Vendor site : 
        http://solution.nara.co.kr/
        http://www.nara.co.kr



------------------------------------------------------
The writer : secret (e-mail : sale2001 () orgio net )
WOWHACKER Team : http://www.wowhacker.org
------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: