lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050111014755.11989.qmail@www.securityfocus.com>
Date: 11 Jan 2005 01:47:55 -0000
From: <wang@...dyresponse.org>
To: bugtraq@...urityfocus.com
Subject: IlohaMail Insecure Configuration Files





------------------------------------------------

Advisory Name : IlohaMail Insecure Configuration Files
Release Date : 10 January, 2004
Application : IlohaMail (http://ilohamail.org/)
Vulnerable: IlohaMail-0.8.14-rc1 and lower
Not Vulnerable: IlohaMail-0.8.14-rc2

Author : SRR Project Group of Ready Response (srr.readyresponse.org / www.readyresponse.org)

------------------------------------------------

Description

IlohaMail is a PHP based lightweight full featured multilingual webmail program with IMAP and POP3 support. If an administrator follows the "INSTALL" file steps to install IlohaMail they will end up with an insecure setup that could allow a remote visitor to the web site to download their configuration files and in some cases obtain username/password credentials for SMTP authentication (very useful to spammers).

The problem exists primarily due to the use of the file extension ".inc" on a number of important configuration files, such as:
 
conf/conf.inc
conf/custom_auth.inc
conf/login.inc

The problem is made worse because the installation instructions do not correctly inform the end user of how to securely setup their IlohaMail. ".inc" is not a secure file extension to use, and therefore if the .inc configuration files are within the web root (a result of following the INSTALL file steps) they will be publicly accessible/readable via the URL:

http://yourdomain.com/IlohaMail/conf/conf.inc
etc

This is dangerous as it can potentially reveal the following information to any remote visitor:

* File paths to important directories (upload directories for mail attachments, session storage directories etc)

* Authenticated SMTP credentials (highly valuable information to spammers)

* Other useful information for potential attackers

------------------------------------------------
 
Exploit
 
No exploit is required to leverage this issue.
 

------------------------------------------------
 
Solution / Vendor Response

Our suggested fix to the IlohaMail team was to stop using the ".inc" file extension and instead use a more secure file extension such as ".inc.php" or ".php" for all include files. 

The IlohaMail team were contacted on 15/12/2004 and promptly replied + investigated this issue. We were informed on 23/12/2004 that the IlohaMail team would be fixing this issue in 0.9 and would be implementing a workaround for 0.8 releases.

IlohaMail-0.8.14-rc2 was released on 01/01/2005 and has addressed this issue.

We would like to thank IlohaMail for their fast response and professional attitude to security.


------------------------------------------------
 
Credit
 
Discovery of this issue is credited to the SRR project group of Ready Response - (srr.readyresponse.org / www.readyresponse.org)


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ