[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050127151050.38578.qmail@web13601.mail.yahoo.com>
Date: Thu, 27 Jan 2005 12:10:50 -0300 (ART)
From: Nash Leon <nashleon@...oo.com.br>
To: bugtraq@...urityfocus.com
Subject: UEBIMIAU <= 2.7.2 MULTIPLES VULNERABILITIES
ADVISORE 01 15/01/2005
INTRUDERS TIGER TEAM SECURITY - SECURITY ADVISORE
http://www.intruders.com.br/
http://www.intruders.org.br/
ADVISORE/0105 - UEBIMIAU < 2.7.2 MULTIPLES
VULNERABILITIES
PRIORITY: HIGH
I - INTRODUCTION:
----------------
>From http://www.uebimiau.org/
"UebiMiau is a simple, yet efficient cross-plataform
POP3/IMAP mail
reader written in PHP. It's have some many features,
such as: Folders,
View and Send Attachments, Preferences, Search, Quota
Limit, etc.
UebiMiau DOES NOT require database or extra PHP
modules (--with-imap)"
II - DESCRIPTION:
------------------
Intruders Tiger Team Security has identified multiples
vulnerabilities in Uebimiau WebMail Server in default
installation that can be exploited by malicious users
to hijacking session files and others informations
in target system.
Intruders Tiger Team Security has discovered that many
systems are vulnerables.
III - ANALYSIS
---------------
Uebimiau in default installation create one
temporary folder to store "sessions" and other
files. This folder is defined in "inc/config.php"
as "./database/".
If the web administrator don't change this
folder, one attacker can exploit this using
the follow request:
http://server-target/database/_sessions/
If the Web server permit "directory listing",
the attacker can read session files.
Other problem live in the way that the files
of users are stored. In default installation
the files of the users are stored using
the follow model:
$temporary_directory/<user>_<domain>/
A attacker can access files of users requesting:
http://server-target/database/user_domain/
Where user is the target user and domain is
the target domain.
Intruders Tiger Team Security has found many
servers vulnerable to these attacks.
IV. DETECTION
-------------
Intruders Tiger Team Security has confirmed the
existence
of this vulnerability in Uebimiau version 2.7.2.
Other versions possibly vulnerable too.
V. WORKAROUND
--------------
1 STEP - Insert index.php in each directory of the
Uebimiau.
2 STEP - Set variable $temporary_directory to a
directory
not public and with restricted access, set permission
as read
only to "web server user" for each files in
$temporary_directory.
3 STEP - Set open_basedir in httpd.conf to yours
clients follow
the model below:
<Directory /server-target/public_html>
php_admin_value open_basedir
/server-target/public_html
</Directory>
VI - VENDOR RESPONSE
--------------------
15/01/2005 - Flaw discovered.
18/01/2005 - Contacted Uebimiau Team.
20/01/2005 - Vendor response.
26/01/2005 - Advisore published.
VII - CREDITS
-------------
Glaudson Ocampos(Nash Leon) and Intruders Tiger Team
Security has discovery this vulnerability.
Thanks to Wendel Guglielmetti Henrique (dum_dum) and
Waldemar Nehgme from securityopensource.org.br.
Visit Intruders Tiger Team Security Web Site for
more advisores:
http://www.intruders.com.br/
http://www.intruders.org.br/
_______________________________________________________
Yahoo! Acesso Grátis - Instale o discador do Yahoo! agora. http://br.acesso.yahoo.com/ - Internet rápida e grátis
Powered by blists - more mailing lists