[Snort-sigs] SID 2407: WEB-MISC util.pl access

Maarten Van Horenbeeck maarten at ...2078...
Wed Jun 9 12:48:53 EDT 2004

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

Rule:  WEB-MISC util.pl access

Sid: 2407

Summary:  This signature triggers on a request for the util.pl file, part
of the CalaCode @mail Webmail system.  Some versions of this software are
vulnerable to a cross site scripting attack.

Impact:  This signature usually indicates a reconaissance attempt.
Succesful exploitation may lead to invalid content being provided to

Detailed Information:  When accessing the webmail service of @mail, a
cross site scripting bug can be abused in the util.pl file.  When
addressing the "settings" bar, Javascript code can be inserted into the
"Displayed Name" field.

This signature will also trigger on some scripted HTTP vulnerability
scans.  Many vulnerability assessment tools include a check which will
verify whether the util.pl file is available on a web server.  There are
multiple other known vulnerabilities in version 3.64 of the @mail system,
and the existance of this file would reveal its presence.

Affected Systems:  Machines running @mail version 3.64.  Older versions
may also be vulnerable, though this has never been confirmed.

Attack Scenarios: A user can submit malicious Javascript to the "Displayed
Name" field.  As usual with most browsers, this script will be executed
within the security context of the web site.  The session ID of the
connection, which is available from within this security context, can be
abused by the attacker to obtain access to the session and the user's
e-mail account.

Ease of Attack:  Exploitation can be done easily by tricking the user into
visiting a certain URL.

False Positives:  This signature solely triggers on a request for a
util.pl file.  This means that it will trigger on patched systems which
are using @mail.  If you are using this application, and it is patched
against this vulnerability, this signature should be disabled.

False Negatives:  There are no known false negatives.

Corrective Action: If you are a user of @mail version 3.64 or lower,
contact your <a href="http://www.atmail.com">vendor</a> for a patch.

Contributors:  Vulnerability was initially discovered by <a
href=mailto:"dr_insane at ...2543...">dr_insane at ...2543..."</a>.

Additional References: <a
href="http://www.securityfocus.com/bid/9748/info/">Bugtraq ID 9748</a>

Best regards,

Maarten Van Horenbeeck, GCIA <maarten at ...2078...>

More information about the Snort-sigs mailing list