OS2A

RockLiffe MailSite wconsole.dll Denial of Service/Script Injection Vulnerability


OS2A ID: OS2A_1004                              Status
                                              01/06/2006 Issue Discovered
                                              01/06/2006 Reported to the vendor
                                              01/19/2006 Patch Released
                                              01/20/2006 Advisory Released

Class: Denial of Service / Script Injection     Severity: CRITICAL


Overview:
Rockliffe's MailSite is a program for providing access to email
accounts on Microsoft Windows operating systems. MailSite HTTP Mail management
agent could allow a remote attacker to cause a denial of service or
execute arbitrary script code.


Description:
1. MailSite HTTP Mail management agent 7.0.3.1 version could allow a remote
 attacker cause a denial of service. A bug in the input validation routine
 in httpma causes the svchost process to consume more CPU cycles thus
 impacting Mailsite HTTP Management agent and ultimately crashing the service.

2. MailSite HTTP Mail management agent 6.x and 5.x could allow a remote
 attacker to inject arbitrary script code. This vulnerability is caused
 due to a design error in the wconsole.dll. This dll file contains html
 code embedded in it which is not properly sanitizing the user-input.

Impact:
 1. Remote attackers can exploit this issue to trigger a denial of service
  condition.
 2. An attacker may leverage this issue to have arbitrary script code
  executed in the browser in the context of the affected site.

Affected Software(s):
MailSite 7.0.3.1 and prior
MailSite 6.1.22 and prior
MailSite 5.x

Affected platform(s):
Windows (Any)

Exploit/Proof of Concept:
 For 7.x series
 http://www.example.com:90/CGI-BIN/WCONSOLE.DLL?Authenticate|cmd
 Any special characters passed to the parameters in the wconsole.dll
 triggers denial of service.

 For 6.x & 5.x series
 http://www.example.com:90/CGI-BIN/WCONSOLE.DLL?%3Cscript%3Ealert(document.cookie)%3C/script%3E

Solutions:
 For 7.x series apply the following patch.
 ftp://ftp.rockliffe.com/MailSite/Latest/Hotfixes/

 For 6.x series apply the following patch
 ftp://ftp.rockliffe.com/MailSite/6.1.22/Hotfixes/

Credits:
Rahul Mohandas of OS2A has been credited with the discovery of this
vulnerability.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/