Secunia

Dr_insane has reported multiple vulnerabilities in Gattaca Server 2003, which can be exploited by malicious people to disclose system information, cause a DoS (Denial of Service), or conduct cross-site scripting attacks.

1) The installation path is returned in a error message when a NULL byte is appended to the end of an URL.

Example:
http://[victim]/%00

2) Input passed to the "Language" parameter in various scripts isn't properly validated before being used. This may cause the application to return an error message disclosing the path of the web root or consume large amounts of CPU resources.

Examples:
http://[victim]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=[invalid_string]
http://[victim]/index.tmpl?HELPID=1000&TEMPLATE=skins//water&LANGUAGE=/

3) Input passed to the "TEMPLATE" and "LANGUAGE" parameters in the "web.tmpl" script isn't properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable website by tricking the user into visiting a malicious website or follow a specially crafted link.

Examples:
http://[victim]/web.tmpl?HELPID=8000&TEMPLATE=[code]//[code]&LANGUAGE=lang//en
http://[victim]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=[code]//[code]

4) An error within the connection handling can be exploited to crash the application by establishing about 600 simultaneous connections to the services.

5) An error within the POP3 service can be exploited by malicious, authenticated users to crash the application by supplying extremely large values to the "LIST", "RETR", and "UIDL" commands.

The vulnerabilities have been reported in version 1.1.10.0. Other versions may also be affected.

Solution
Use another product.

Provided and/or discovered by
Dr_insane

Original Advisory
http://members.lycos.co.uk/r34ct/main/Gattaca%20Server%202003.txt

Deep Links
Links available in Customer Area