[UNIX] Multiple Vulnerabilities in mailreader.com
From: support@securiteam.comDate: 10/31/02
- Previous message: support@securiteam.com: "[UNIX] Privilege Escalation Vulnerability on phpBB"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 31 Oct 2002 12:43:37 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Multiple Vulnerabilities in mailreader.com
------------------------------------------------------------------------
SUMMARY
<http://www.mailreader.com> Mailreader.com is web base POP3 email reader
written in perl. Two security vulnerabilities have been found in the
product allowing remote attackers to view arbitrary files and to execute
arbitrary commands.
DETAILS
Vulnerable systems:
* Mailreader.com version 2.3.31 and prior
Immune systems:
* Mailreader.com version 2.3.33
There is multiple vulnerabilities in this package as describe below.
1) Read any text file
By default mailreader install with language support. There is no proper
error checking in configLanguage input. Using NULL byte poisoning we can
easily overwrite that value with any file we want and cause mailreader to
display the file content.
Example:
http://192.168.0.1/cgi-bin/mail/nph-mr.cgi?do=loginhelp&configLanguage=../..
/../../../../../etc/passwd%00
2) Remote command execution
Mailreader allow user to specify their own mail server so any user can
login and use the mailreader. User also can overwrite SMTP Servers
configuration using configSMTPServers input. For version 2.3.30 and above
there is an option to use sendmail as mail transfer agent. There is poor
error checking for $CONFIG{RealEmail} in compose.cgi which will use as
$from in network.cgi.
from network.cgi line 372:
if ($server =~ /[.]*sendmail/) {
# close the file 'cause it isn't needed
close FILE;
# send the file
my $res = `$server -U -f$from -t -i < $filename`;
# and escape
return 1;
}
This will allow user to include value that will escape to shell and run
arbitrary command as web user.
Vendor Response:
Vendor has been contacted on 23/10/2002 and new version of Mailreader.com
is available.
ADDITIONAL INFORMATION
The information has been provided by
<mailto:pokleyzz@scan-associates.net> pokleyzz of SCAN Associates.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Privilege Escalation Vulnerability on phpBB"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
