RESOURCES
Gordano GMS - Multiple Vulnerabilities

DESCRIPTION

"Gordano Messaging Suite is the powerful messaging server running on Windows, Linux, Solaris and AIX. It is being used by over twenty four thousand customers,in more than ninety countries, covering all sectors (Airlines, Government Agencies, Education,Industry, etc..)"

Gordano Messaging Suite is being widely used by some major organizations such as Compaq, Xerox, NASA, Cisco System, AT&T, FedEx.

More information at http://www.gordano.com.

SUMMARY

PRODUCT Gordano Messaging Suite
VENDOR Gordano
AFFECTED VERSIONS Gordano Messaging Suite version 9, build 3138
SEVERITY
IDENTIFIER N/A
TESTED PLATFORM Windows 2000, Windows XP Professional, Linux(x86)

E-CQURITY found several security flaws in the software that could result in DoS attack against the GMS application and sensitive information disclosure if exploited by the attacker.

IMPACT

Remote Denial of service

Information Disclosure

DETAILS

[Vulnerability #1] Remote DoS

The program x:\/bin/WWW.exe listens on the following ports to provide GMS Administration, WebMail Professional, WebMail Express, WebMail Mobile, Instant Messaging, and Web Server services to users: 80, 8000, 8025, 8081, 8888, 9000. When a user sending a request like this /../.. to GMS Web Server at port 80 will cause the WWW.exe process terminated and all services that WWW.exe provides shutdown immediately.

~$ telnet 192.168.1.69
Trying 192.168.1.69...
Connected to 192.168.1.69
Escape character is '^]'.
GET /../.. HTTP/1.0
Connection closed by foreign host.

On Linux, the vulnerability doesnt cause the /gordano/bin/WWW process terminated but it never times out and if an attacker opens up 15-20 connections sending /../.. requests it will probably enough to keep GMS Server busy and deny providing services to other legitimate users.

Restarting the service is needed in order to gain normal functionality.

[Vulnerability #2] Information Disclosure (require valid user credential)

The script alertlist.mml provides information about users who have logged in to the GMS Server and discloses some useful information to the attacker, such as usernames, domains, login time, and et al. Its supposed to be accessed by GMS Server's Administrator only but a normal WebMail user can also access to that script without the need of login as an admin.

PROOF OF CONCEPT

[Vulnerability #2] Information Disclosure (require valid user credential)

The script can be normally accessed through http://www.victim.com:8000/admin/reports/alertlist.mml.

VENDOR STATUS

Vendor has verified and released a patch that addresses the issues.

CREDIT

Phuong Nguyen

DISCLOSURE TIMELINE

N/A

APPENDIX

N/A

REFERENCES

N/A

We use cookies

This website uses cookies to ensure you get the best experience on our website. By continuing to browse the site, you agree to our use of cookies.Learn more