[NEWS] W3Mail MIME Attachment Vulnerability

From: support@securiteam.com
Date: 07/31/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Wed, 31 Jul 2002 14:35:37 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  W3Mail MIME Attachment Vulnerability
------------------------------------------------------------------------

SUMMARY

 <http://www.cascadesoft.com/> W3Mail provides a simple web email
interface, enabling your employees or customers to access their email from
anywhere in the world. A security vulnerability has been found in the
product's way of handling MIME attachments.

DETAILS

Vulnerable systems:
 * W3Mail version up to and including 1.0.5

The vulnerability comes in two related parts.
1) W3Mail can incorrectly expose downloaded MIME attachments without
correct authentication in cases where the Web Server has been configure
with indexing for the MIME attachments storage directory.

2) In cases where the web server has server side scripting of any type
(such as PHP) enabled for the MIME attachments directory, it is possible
to gain remote access as the web server user typically nobody.

Technical Details:
1) Unless indexing for the MIME attachments directory is disabled, it is
possible to browse the MIME attachments directory and read arbitrary
attachments. Prior to release 1.0.3, W3Mail did not correctly clean up the
MIME directory, leaving the attachments there even after the user whom
they belonged to has logged out. In versions 1.0.3 and more recent,
providing the user correctly logs-out, their attachments will be removed.
Note that the attachments will remain as with 1.0.3 and lower releases if
the user simply closes the window rather than using the correct logout
link.

2) By sending a MIME attachment executable to a W3Mail using client, a
potential intruder can request it via their browser and therefore have it
executed by the web server. The attachment must be sent as a non-text MIME
type in order for the malicious code to correctly be created. This part of
the vulnerability will work even when directory indexing is turned off for
the MIME attachments directory since attachments are created with their
original name.

This vulnerability can also be exploited on attachments sent from W3Mail,
although in this case the effect is reduced in versions from 1.0.3
onwards, since they clean the attachments directory after the mail has
been sent minimizing the potential time for any attack.

Solution:
In order to completely protect against the vulnerability (in the short
term), Nth Dimension recommend turning off indexing and any server side
file execution for the MIME attachments directory.

Vendor status:
The vendors were contacted on 19 July offering the vendor 14 days to
produce a fix, but we have had no reply to acknowledge that the problem
even exists.

ADDITIONAL INFORMATION

The information has been provided by <mailto:timb@nth-dimension.org.uk>
Tim Brown.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.