====================================================================== Secunia Research 31/05/2006 - Eserv/3 IMAP and HTTP Server Multiple Vulnerabilities - ====================================================================== Table of Contents Affected Software....................................................1 Severity.............................................................2 Description of Vulnerability.........................................3 Solution.............................................................4 Time Table...........................................................5 Credits..............................................................6 References...........................................................7 About Secunia........................................................8 Verification.........................................................9 ====================================================================== 1) Affected Software * EServ/3 version 3.25 Prior versions may also be affected. ====================================================================== 2) Severity Rating: Moderately Critical Impact: Security bypass Exposure of sensitive information Where: Remote ====================================================================== 3) Description of Vulnerability Secunia Research has discovered some vulnerabilities in Eserv/3, which can be exploited by malicious users to bypass certain security restrictions and to disclose potentially sensitive information, and by malicious people to gain access to potentially sensitive information. 1) Directory traversal errors exist in the CREATE, SELECT, DELETE, RENAME, COPY and APPEND commands of the IMAP service. This can be exploited by an authenticated user to read other users' emails, create/rename arbitrary directories on the system, and delete empty directories. 2) A validation error of the filename extension supplied by the user in the URL can be exploited to retrieve the source code of script files (e.g. PHP, PL) from the HTTP server via specially crafted requests containing dot, space and slash characters. ====================================================================== 4) Solution Update to version 3.26 or apply patch. ====================================================================== 5) Time Table 15/05/2006 - Initial vendor notification. 15/05/2006 - Initial vendor reply. 31/05/2006 - Public disclosure. ====================================================================== 6) Credits Discovered by Tan Chew Keong, Secunia Research. ====================================================================== 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2006-2308 and CVE-2006-2309 for the vulnerabilities. EServ: http://www.eserv.ru/ru/news/news_detail.php?ID=235 ====================================================================== 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ ====================================================================== 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-37/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ======================================================================