Re: UEBIMIAU <= 2.7.2 MULTIPLES VULNERABILITIES
From: pokley (pokleyzz_at_scan-associates.net)
Date: Fri, 28 Jan 2005 12:51:50 +0800 To: "Nash Leon" <firstname.lastname@example.org>, email@example.com
I have discover this bug indipendently on March 2004. Since Uebimiua team
have a comment to change default temporary directory for security reason
in their config file this seem not critical to me and decided not to
inform the developer.
In this case this bug may lead to remote command execution by uploading
php script as attachment since uebimiau will preserve original file
extension for uploaded attachment. We may know the actual uploaded file by
decoding session file (*.usf).
$fp = fopen($argv,"r");
$result = fread($fp,filesize($argv));
$result = unserialize(~$result);
On Thu, 27 Jan 2005 12:10:50 -0300 (ART), Nash Leon
> ADVISORE 01 15/01/2005
> INTRUDERS TIGER TEAM SECURITY - SECURITY ADVISORE
> ADVISORE/0105 - UEBIMIAU < 2.7.2 MULTIPLES
> PRIORITY: HIGH
> I - INTRODUCTION:
> From http://www.uebimiau.org/
> "UebiMiau is a simple, yet efficient cross-plataform
> POP3/IMAP mail
> reader written in PHP. It's have some many features,
> such as: Folders,
> View and Send Attachments, Preferences, Search, Quota
> Limit, etc.
> UebiMiau DOES NOT require database or extra PHP
> modules (--with-imap)"
> II - DESCRIPTION:
> Intruders Tiger Team Security has identified multiples
> vulnerabilities in Uebimiau WebMail Server in default
> installation that can be exploited by malicious users
> to hijacking session files and others informations
> in target system.
> Intruders Tiger Team Security has discovered that many
> systems are vulnerables.
> III - ANALYSIS
> Uebimiau in default installation create one
> temporary folder to store "sessions" and other
> files. This folder is defined in "inc/config.php"
> as "./database/".
> If the web administrator don't change this
> folder, one attacker can exploit this using
> the follow request:
> If the Web server permit "directory listing",
> the attacker can read session files.
> Other problem live in the way that the files
> of users are stored. In default installation
> the files of the users are stored using
> the follow model:
> A attacker can access files of users requesting:
> Where user is the target user and domain is
> the target domain.
> Intruders Tiger Team Security has found many
> servers vulnerable to these attacks.
> IV. DETECTION
> Intruders Tiger Team Security has confirmed the
> of this vulnerability in Uebimiau version 2.7.2.
> Other versions possibly vulnerable too.
> V. WORKAROUND
> 1 STEP - Insert index.php in each directory of the
> 2 STEP - Set variable $temporary_directory to a
> not public and with restricted access, set permission
> as read
> only to "web server user" for each files in
> 3 STEP - Set open_basedir in httpd.conf to yours
> clients follow
> the model below:
> <Directory /server-target/public_html>
> php_admin_value open_basedir
> VI - VENDOR RESPONSE
> 15/01/2005 - Flaw discovered.
> 18/01/2005 - Contacted Uebimiau Team.
> 20/01/2005 - Vendor response.
> 26/01/2005 - Advisore published.
> VII - CREDITS
> Glaudson Ocampos(Nash Leon) and Intruders Tiger Team
> Security has discovery this vulnerability.
> Thanks to Wendel Guglielmetti Henrique (dum_dum) and
> Waldemar Nehgme from securityopensource.org.br.
> Visit Intruders Tiger Team Security Web Site for
> more advisores:
> Yahoo! Acesso Grátis - Instale o discador do Yahoo! agora.
> http://br.acesso.yahoo.com/ - Internet rápida e grátis
-- Using Opera's revolutionary e-mail client: http://www.opera.com/m2/