News from the Lab: RockLiffe MailSite wconsole.dll Denial of Service/Script Injection Vulnerability

Monday, October 16, 2006

RockLiffe MailSite wconsole.dll Denial of Service/Script Injection Vulnerability

OS2A ID: OS2A_1004 Status
01/06/2006 Issue Discovered
01/06/2006 Reported to the vendor
01/19/2006 Patch Released
01/20/2006 Advisory Released

Class: Denial of Service / Script Injection Severity: CRITICAL

Overview:
Rockliffe's MailSite is a program for providing access to email
accounts on Microsoft Windows operating systems. MailSite HTTP Mail management
agent could allow a remote attacker to cause a denial of service or
execute arbitrary script code.

Description:
1. MailSite HTTP Mail management agent 7.0.3.1 version could allow a remote
attacker cause a denial of service. A bug in the input validation routine
in httpma causes the svchost process to consume more CPU cycles thus
impacting Mailsite HTTP Management agent and ultimately crashing the service.

2. MailSite HTTP Mail management agent 6.x and 5.x could allow a remote
attacker to inject arbitrary script code. This vulnerability is caused
due to a design error in the wconsole.dll. This dll file contains html
code embedded in it which is not properly sanitizing the user-input.

Impact:
1. Remote attackers can exploit this issue to trigger a denial of service
condition.
2. An attacker may leverage this issue to have arbitrary script code
executed in the browser in the context of the affected site.

Affected Software(s):
MailSite 7.0.3.1 and prior
MailSite 6.1.22 and prior
MailSite 5.x

Affected platform(s):
Windows (Any)

Exploit/Proof of Concept:
For 7.x series
http://www.example.com:90/CGI-BIN/WCONSOLE.DLL?Authenticate|cmd
Any special characters passed to the parameters in the wconsole.dll
triggers denial of service.

For 6.x & 5.x series
http://www.example.com:90/CGI-BIN/WCONSOLE.DLL?%3Cscript%3Ealert
(document.cookie)%3C/script%3E

Solution:
For 7.x series apply the following patch.
ftp://ftp.rockliffe.com/MailSite/Latest/Hotfixes/

For 6.x series apply the following patch
ftp://ftp.rockliffe.com/MailSite/6.1.22/Hotfixes/

Reference:
http://archives.neohapsis.com/archives/fulldisclosure/2006-01/0750.html

0 Comments:

Post a Comment

<< Home