lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050127151050.38578.qmail@web13601.mail.yahoo.com>
Date: Thu, 27 Jan 2005 12:10:50 -0300 (ART)
From: Nash Leon <nashleon@...oo.com.br>
To: bugtraq@...urityfocus.com
Subject: UEBIMIAU <= 2.7.2 MULTIPLES VULNERABILITIES


ADVISORE 01  15/01/2005

INTRUDERS TIGER TEAM SECURITY - SECURITY ADVISORE

       http://www.intruders.com.br/
       http://www.intruders.org.br/


ADVISORE/0105 - UEBIMIAU < 2.7.2 MULTIPLES
VULNERABILITIES

PRIORITY: HIGH


I - INTRODUCTION:
----------------

>From http://www.uebimiau.org/

"UebiMiau is a simple, yet efficient cross-plataform
POP3/IMAP mail
reader written in PHP. It's have some many features,
such as: Folders,
View and Send Attachments, Preferences, Search, Quota
Limit, etc.
UebiMiau DOES NOT require database or extra PHP
modules (--with-imap)"


II - DESCRIPTION:
------------------

Intruders Tiger Team Security has identified multiples
vulnerabilities in Uebimiau WebMail Server in default
installation that can be exploited by malicious users
to hijacking session files and others informations
in target system.
 
Intruders Tiger Team Security has discovered that many
systems are vulnerables.


III - ANALYSIS
---------------

Uebimiau in default installation create one
temporary folder to store "sessions" and other
files. This folder is defined in "inc/config.php"
as "./database/".

If the web administrator don't change this
folder, one attacker can exploit this using
the follow request:

http://server-target/database/_sessions/

If the Web server permit "directory listing",
the attacker can read session files.

Other problem live in the way that the files
of users are stored. In default installation
the files of the users are stored using
the follow model:

$temporary_directory/<user>_<domain>/

A attacker can access files of users requesting:

http://server-target/database/user_domain/

Where user is the target user and domain is
the target domain.

Intruders Tiger Team Security has found many
servers vulnerable to these attacks.


IV. DETECTION
-------------

Intruders Tiger Team Security has confirmed the
existence 
of this vulnerability in Uebimiau version 2.7.2. 
 
Other versions possibly vulnerable too.


V. WORKAROUND
--------------

1 STEP - Insert index.php in each directory of the
Uebimiau.

2 STEP - Set variable $temporary_directory to a
directory 
not public and with restricted access, set permission
as read
only to "web server user" for each files in
$temporary_directory.

3 STEP - Set open_basedir in httpd.conf to yours
clients follow  
the model below:

<Directory /server-target/public_html>
php_admin_value open_basedir
/server-target/public_html
</Directory>


VI - VENDOR RESPONSE
--------------------

15/01/2005 - Flaw discovered. 
18/01/2005 - Contacted Uebimiau Team. 
20/01/2005 - Vendor response. 
26/01/2005 - Advisore published.


VII - CREDITS
-------------

Glaudson Ocampos(Nash Leon) and Intruders Tiger Team  
Security has discovery this vulnerability. 
 
Thanks to Wendel Guglielmetti Henrique (dum_dum) and
Waldemar Nehgme from securityopensource.org.br. 
 
Visit Intruders Tiger Team Security  Web Site  for
more advisores: 
  
http://www.intruders.com.br/ 
http://www.intruders.org.br/


	
	
		
_______________________________________________________ 
Yahoo! Acesso Grátis - Instale o discador do Yahoo! agora. http://br.acesso.yahoo.com/ - Internet rápida e grátis


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ