SCAN Associates Advisory : Multiple vurnerabilities on mailreader.com
From: pokleyzz (pokleyzz@scan-associates.net)Date: 10/28/02
- Previous message: Fredrik Björk: "Re: IBM Infoprint Remote Management Simple DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 28 Oct 2002 17:48:04 +0800 From: pokleyzz <pokleyzz@scan-associates.net> To: bugtraq <bugtraq@securityfocus.com>, Shaharil Abdul Malek <shaharil@scan-associates.net>, sk <sk@scan-associates.net>, pokley <saleh@scan-associates.net>, Md Nazri Ahmad <nazri@ns1.scan-associates.net>
Products: Mailreader.com v 2.3.31 and below (http://www.mailreader.com)
Date: 28 October 2002
Author: pokleyzz <pokleyzz@scan-associates.net>
Contributors: sk@scan-associates.net shaharil@scan-associates.net
Description
===========
Mailreader.com (http://www.mailreader.com) is web base pop3 email
reader written in perl.
Details
=======
There is multiple vurnerabilities in this package as describe below.
1) Read any text file
By default mailreader install with language support. There is no proper
error checking in configLanguage input.Using nullbyte poisoning we can
easily overwrite that value with any file we want and cause mailreader to
display the file content.
ex:
http://192.168.0.1/cgi-bin/mail/nph-mr.cgi?do=loginhelp&configLanguage=../..
/../../../../../etc/passwd%00
Affected version : <= Mailreader.com v2.3.31
2) Remote command execution
Mailreader allow user to specify their own mail server so any user can
login and use the mailreader . User also can overwrite SMTPServers
configuration using configSMTPServers input. For version 2.3.30 and above
there is an option to use sendmail as mail transfer agent. There is poor
error checking for $CONFIG{RealEmail} in compose.cgi which will use as $from in
network.cgi.
from network.cgi line 372:
if ($server =~ /[.]*sendmail/) {
# close the file 'cause it isn't needed
close FILE;
# send the file
my $res = `$server -U -f$from -t -i < $filename`;
# and escape
return 1;
}
This will allow user to include value that will escape to shell and run
arbitrary command as web user.
Affected version : Mailreader.com v2.3.30 and Mailreader.com v2.3.31
Vendor Response
===============
Vendor has been contacted on 23/10/2002 and new version of Mailreader.com
is available.
- Previous message: Fredrik Björk: "Re: IBM Infoprint Remote Management Simple DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
