Details of VAR-200404-0108

ID

VAR-200404-0108

TITLE

Floosietek FTGate Mail Server Multiple Input Validation Vulnerabilities

Trust: 0.9

sources: CNVD: CNVD-2004-1013 // BID: 10058

DESCRIPTION

FloosieTek FTGatePro Mail Server is a versatile mail server that includes anti-virus integration, anti-spam, NAT SAM integration and more. The FTGate WEB mail server lacks sufficient filtering for user submission parameters, and remote attackers can exploit this vulnerability to obtain user sensitive information. The problem is that 'individual.fts' lacks filtering for the \"Display name\" field. The attacker builds a malicious WEB page to entice the user to access the information such as the sensitive COOKIE of the target user. It has been reported that FTGate is prone to multiple remote input validation vulnerabilities; a cross-site scripting issue and an HTML injection vulnerability. These issues are due to a failure of the application to properly sanitize user supplied input before using it in dynamic web content. The cross-site scripting issue could permit a remote attacker to create a malicious link to the vulnerable application that includes hostile HTML and script code. If this link were followed, the hostile code may be rendered in the web browser of the victim user. This would occur in the security context of the affected web site and may allow for theft of cookie-based authentication credentials or other attacks. An attacker may exploit the HTML injection vulnerability to execute arbitrary script code in the browser of an unsuspecting user. It may be possible to steal the unsuspecting user's cookie-based authentication credentials, as well as other sensitive information. Other attacks may also be possible

Trust: 0.81

sources: CNVD: CNVD-2004-1013 // BID: 10058

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2004-1013

AFFECTED PRODUCTS

vendor:	no	model:	-	scope:	-	version:	-	Trust: 0.6
vendor:	floosietek	model:	ftgatepro	scope:	eq	version:	1.2(1331)	Trust: 0.3
vendor:	floosietek	model:	ftgatepro	scope:	eq	version:	1.2	Trust: 0.3
vendor:	floosietek	model:	ftgateoffice	scope:	eq	version:	1.2	Trust: 0.3

sources: CNVD: CNVD-2004-1013 // BID: 10058

CVSS

SEVERITY

CVSSV2

CVSSV3

CNVD:	CNVD-2004-1013
value:	MEDIUM
Trust: 0.6

CNVD:	CNVD-2004-1013
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

sources: CNVD: CNVD-2004-1013

THREAT TYPE

network

Trust: 0.3

sources: BID: 10058

TYPE

Input Validation Error

Trust: 0.3

sources: BID: 10058

EXTERNAL IDS

db:	BID	id:	10058	Trust: 0.9
db:	CNVD	id:	CNVD-2004-1013	Trust: 0.6

sources: CNVD: CNVD-2004-1013 // BID: 10058

REFERENCES

url:	http://members.lycos.co.uk/r34ct/main/ftgateofficeftgatepro%20v1.2.txt	Trust: 0.9
url:	http://www.ftgate.com	Trust: 0.3
url:	http://www.floosietek.com/content/57.htm	Trust: 0.3

sources: CNVD: CNVD-2004-1013 // BID: 10058

CREDITS

Disclosure of this issue is credited to Dr_insane <dr_insane@pathfinder.gr>.

Trust: 0.3

sources: BID: 10058

SOURCES

db:	CNVD	id:	CNVD-2004-1013
db:	BID	id:	10058

LAST UPDATE DATE

2022-05-17T01:50:38.083000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2004-1013	date:	2014-01-22T00:00:00
db:	BID	id:	10058	date:	2004-04-06T00:00:00

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2004-1013	date:	2004-04-06T00:00:00
db:	BID	id:	10058	date:	2004-04-06T00:00:00