Product:

SakeMail - Webmailsystem (http://www.endymion.com)

Problem Description:

due to missing input-validation it is possible to read xml/other files with sakemails permissions
read THIS (javanullbyte.html) for additional infos on nullbytes and java-classes!

Example:

a HTTP-request to:
http://hostname/com.endymion.sake.servlet.mail.MailServlet
with the following parameters:

cmd_help=1
param_name= [relative FILE/PATH] [Nullbyte/0x00]


... will lead to disclosure of [FILE/PATH]


Remark:
for some strange reason the used xml-parser for windows bahaves different. the unix-version let you read any file, while the windows version allows only "xml-style" files to be read.

if the system authenticates agains mysql or mssql it is very likely to find database-usernames and passwords within general.ini or mail.ini

config-files with sensitive information:

mail.ini (db-usernames and passwords)
generali.ini
mssqlserver.sql
mysql.sql


Summary:

vendor: Endymion (http://www.endymion.com)
system: SakeMail (all versions) object: com.endymion.sake.servlet.mail.MailServlet(maybe others)

class: Reffering to OWASP-IV (Input Validation Classes)

Directory Traversal (IV-DT-1) Null Character (IV-NC-1)
remote: yes
local: ---
severity: medium-high

vendor: hast been informed
patch/fix:
recomannded fix: sanitize meta-characters from user-input




@2002 Martin Eiszner
security@freefly.com
http://www.websec.org