[UNIX] Instant Web Mail Additional POP3 Commands and Mail Headers

From: support@securiteam.com
Date: 03/26/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Tue, 26 Mar 2002 15:42:29 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Instant Web Mail Additional POP3 Commands and Mail Headers
------------------------------------------------------------------------

SUMMARY

Instant Web Mail is a free, web-based POP mail client. It is incredibly
easy to install - however, the easy installation comes at a price: There
are no Sent mail and Trash folders, and there is no address book. Due to
inadequate character filtering it is possible to tell the program to
execute other POP3 commands in addition to those used to create/send
messages (for example, cause it to logon into other people's accounts,
delete messages, etc). Further, a vulnerability allows embedding of
attachments via other means than those provided by the normal interface.

DETAILS

Vulnerable systems:
Instant Web Mail version 0.59 and prior

Immune systems:
Instant Web Mail version 0.60

1) The function command(), which sends a POP3 command to a POP3 server,
allows embedded CR and LF characters. Nowhere in the program are those
characters stripped in user input before it is sent to that function. This
means that we can include additional POP3 commands in user requests.

The program also converts URL's in e-mail messages to links. This makes it
easy for an evil person to send a link to a user, and for that user to
visit it. He or she may then be redirected from the evil server back to a
page at his or her Instant Web Mail installation. If the evil server
passes an additional POP3 command for deleting a mail in the URL that it
redirects to, Instant Web Mail will then show the user one mail while
deleting another one.

One example of such a URL to redirect to would be:
http://www.userhost.se/instantwebmail/message.php?id=1%0D%0ADELE+2&

2) The mail sending script write.php allows embedded CR and LF characters
in the user input that makes up mail headers like From, To, Cc, Bcc,
Subject, and X-Priority. This can be used for adding uuencoded attachments
up in the headers with lines ending in CR instead of CRLF.

This issue can be exploited by simply saving Instant Web Mail's HTML page
for writing mails, and changing some text fields to textareas.

Vendor status:
The vendor was contacted on 14 March. We discussed these issues for a few
days. Version 0.60, which is not vulnerable to any of these issues, was
released on 17 March.

Recommendations:
It is recommend that all users upgrade to version 0.60 immediately.

ADDITIONAL INFORMATION

The information has been provided by <mailto:ulfh@update.uu.se> Ulf
Harnhammar.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.