1)EMUMAIL 5.x parameter validation vulnerability. --------------------------- Summary -------- Parameter validation bugs exist in 2 of the most popular Greek Free e-mail providers. The problem also there is on many other servers worldwide.The affected software is EMUMAIL 5.x used by Mail.gr and the software used by Mailbox.gr remains unidentified. This vulnerability allows the creation of arbitary folders that could potentialy lead to a DOS attack. System(s) Affected ---------------- EMUMAIL 5.x used by Mail.gr (possibly EMUMAIL systems < 5 are also vulnerable) Unknown Software used by Mailbox.gr Exploit ------ The proof of concept code is provided below for EMUMAIL 5.x used by Mail.gr. Emumail handles the folder arguments without any validation. Upon execution of the below statement a folder will be created under the name provided in the "folder=" parameter http://www.mail.gr/email.fcgi?passed=select&reload.x=19&folder=SOMENAME The same vulnerabillity exists in Mailbox.gr. http://www.mailbox.gr/cgi-mailbox/webemail/read.cgi/greek?acc=accountnamehere&folder=SOMENAME As you noticed both vulnerabilities exist in the passing of folder parameters and the mishandle of the supplied arguments. We strongly believe that Mailbox.gr is somehow "based" on EMUMAIL thus still vulnerable. Also if you try to run the string below by using Internet explorer 6 sp1 the browser will crash: ( i have tested it on many systems) http://www.mailbox.gr/cgi-mailbox/webemail/read.cgi/greek?acc=accountnamehere&folder=(about_2000+_characters) (i don't know if the same thing happen to you) Finaly if you run the string above on another browser (not IE) you will get this message from the server: "Request-URI Too Large The requested URL's length exceeds the capacity limit for this server.request failed: URI too long" Maybe this can lead to a buffer overflow and execution of arbitary code. ------------------------------------------------------------------------------------- 2) MAILBOX Vulnerability ( software developed by SM-SOFT Information and EUROPLANET ) Summary -------- Two other Parameter validation bugs exist in one of the most popular Greek Free e-mail provider. The (unknown) affected software is used by mailbox.gr.This vulnerability allows the mass mailing the promotion mail of mailbox.gr.The other bug allows unathorized view of the logon history from any account. System(s) Affected ---------------- Unknown Software used by Mailbox.gr developed by SM-SOFT Information and EUROPLANET Communication Informatics. Exploit ------ The proof of concept code is provided below for Mailbox.gr. The software handles the account arguments without any validation if it exists or not. Upon execution of the below statements mailbox.gr's mail will be mailed to the mail provided after the useremailas many time as you hit your return key.That could potentialy lead to fill up the usermail's inbox,as the promotion mail is about 14kb. http://www.mailbox.gr/cgi-mailbox/webemail/suggest.cgi?userid=whateverhere&useremail=mail@mpe.gr The mail will appear to be mailed from whateverhere@mailbox.gr which is an invalid account name. Now the other vulnerability allows the view of the logon history of any account. http://www.mailbox.gr/cgi-mailbox/webemail/logoview.cgi?userid=accounthere The execution of above statement will print on your screen the logon history under the accounthere account name. PATCH ----- Vendor has been notified but no patch is still available. ----------------- Vulnerability and exploit by: Dr_insane ------> dr_insane@pathfinder.gr