Multiple vulnerabilities in Argosoft Mail Server 1.8.7.6

[ShineShadow <ss_contacts () hotmail com>]

ShineShadow Security Report  22042005-04

TITLE: Multiple vulnerabilities in Argosoft Mail Server Pro 1.8.7.6.

BACKGROUND

ArGoSoft Mail Server is fully functional SMTP/POP3/Finger (Pro version also has IMAP module) server for Windows 
95/98/NT/2000, which will let you turn your computer into the email system. It's very compact, takes about 1-5 Mb of 
disk space (depending on the version), does not have any specific memory requirements, and what is the most important - 
it's very easy to use. 
Source: www.argosoft.com

VULNERABLE PRODUCTS

Argosoft Mail Server Pro 1.8.7.6 (maybe other)

DETAILS

1. Multiple cross-site scripting (XSS) vulnerabilities.

Description: 
Remote user can execute cross-site scripting (XSS) attack. It possible because some HTML tags in email messages are not 
filtered (for example, “src” parameter in IMG tag). An attacker can send to the victim special crafted email message. 
If victim will view this message using web interface then attackers Java code will be executed in web browser of the 
victim. Also many XSS vulnerabilities exists in input boxes of webmail pages (for example, User settings,Address book 
and other).

2. Copying or moving files with arbitrary content and .eml extension to arbitrary locations on the server.

Vulnerable script: delete

Description: 
Remote user, who has account on Argosoft Mail Server, can copy or move own .eml files with arbitrary content (which, 
for example, could be uploading as attachment) to arbitrary locations on the server. This is directory traversal 
vulnerability. The new name of moving/copying .eml file will be random-generated by script. 

3. Deleting own account on the mail server.

Vulnerable script: folderdelete

Description:
Remote user, who has account on Argosoft Mail Server, can delete his home directory and account on the mail server. 
This is input validation error in “Folder” parameter.

4. Creating arbitrary user accounts on mail server.

Vulnerable script: addnew

Description:
Remote user can create user account on mail server even if option “Allow Creation of Accounts From the Web Interface” 
has been disabled. It possible, because script does not require authentication. An attacker can send POST query to 
vulnerable script to create valid user account on remote mail server. After that it possible to use other 
vulnerabilities described in this report to get full control of Argosoft Mail Server or remote system.

5. Viewing arbitrary files on mail server.

Vulnerable script: msg

Description:
Remote user, who has account on Argosoft Mail Server, can view arbitrary files on mail server. This is directory 
traversal vulnerability in “UIDL” parameter. An attacker can view messages of other users, configuration files or other 
text files on remote mail server.

6. Unfixed critical vulnerabilities.

Description:
Argosoft Mail Server 1.8.7.6 has unfixed known critical vulnerabilities. SIG^2 (www.security.org.sg) discovered some 
directory traversal vulnerabilities in Argosoft Mail Server 1.8.7.3 
(http://www.security.org.sg/vuln/argosoftmail1873.html). The following vulnerabilities are NOT been fixed by vendor and 
exists in the last version of the product (Argosoft Mail Server 1.8.7.6):
- Directory traversal in email attachment filename allows file upload to arbitrary directories
- Directory traversal in _msgatt.rec allows any arbitrary files on the server to be sent as attachment


EXPLOITATION

WebMail must be running on Argosoft Mail Server.

WORKAROUND

Disable WebMail of Argosoft Mail Server.

VENDOR STATUS

Vendor contacted: 24 January 2005
Contact has been interrupted by vendor. Details has not been discussed during contact.


SUMMARY

An attacker who successfully exploited vulnerabilities described in this report could take complete control of a 
Argosoft Mail Server 1.8.7.x or an affected remote system. I’m not advice to use this product, you must disable Webmail 
service of Argosoft Mail Server. 
        
CREDITS

ShineShadow, undependent computer security expert. 
To get more information, please contact me by e-mail.

22.04.2005
ShineShadow,
ss_contacts () hotmail com