@Mail web interface multiple security vulnerabilities
S-Quadra Advisory #2003-12-09
Topic: @Mail web interface multiple security vulnerabilities
Severity: Average
Vendor URL: http://www.atmail.com
Advisory URL: http://www.s-quadra.com/advisories/Adv-20031209.txt
Release date: 09 Dec 2003
1. DESCRIPTION
"@Mail is a feature rich Email solution that allows users to access
email-resources via the web or a variety of wireless devices. The
software incorporates a complete email-server package to manage
and host user email at your domain(s)." -
www.atmail.com site says.
2. DETAILS
Multiple security vulnerabilities has been found in the @Mail web
interface which could allow a remote attacker in the worst case to gain
access to user's mailbox.
@Mail allows two different types of installation:
a) Flat file install
All profiles and messages of the @Mail users stored in files.
This storage method is recommended for user bases < 10,000 users.
b) SQL database install (MySQL)
User profiles and messages are stored in a SQL database.
-- Vulnerability 1: Flat file install - Input validation error
'showmail.pl' fails to validate 'Folder' request parameter which allows
an attacker to point it to
mailbox of any registered user in @Mail system.
-- Vulnerability 2: SQL database install - Multiple SQL injection
vulnerabilities
Multiple SQL Injection vulnerabilities has been found in @Mail web
interface. User supplied input is not filtered before being used in a
SQL query. Consequently, query modifications is possible. Successfull
exploitaion could allow a remote attacker to read any email messages for
any email address registered in @Mail system.
Affected scripts - 'atmail.pl', 'search.pl', 'reademail.pl'.
-- Vulnerability 3: SQL database install - Session hijacking vulnerability
When user is logs into @Mail through web interface his session id and
mailbox name are saved in a cookie. Modification of mailbox name allows
a attacker to gain access to victim's mailbox.
Victim's session ID must be active for this attack to be successfull.
-- Vulnerability 4: All types of install - Cross Site Scripting
vulnerability in 'showmail.pl'
By injecting specially crafted javascript code in url and tricking a
user to visit it a remote attacker can steal session id and gain access
to victim's mailbox.
3. PoC Code
-- Vulnerability 1
Platforms: @Mail 3.52 Demo for Windows NT/2000/XP on Windows 2000
Advanced Server
The following url will give access to victim@xxxxxxxxxxxx's mailbox
-http://www.site.com/showmail.pl?Folder=../../victim@xxxxxxxxxxxx/mbox/Inbox
-- Vulnerability 2
Platforms: @Mail 3.52 Demo for Windows NT/2000/XP on Windows 2000
Advanced Server
- through SQL Injection vulnerability in 'search.pl' an attacker can
find message id for any message of any registered user
- the following url open message with message id '666' for user
'victim@xxxxxxxxxx'
-http://www.site.com/reademail.pl?id=666&folder=qwer'%20or%20EmailDatabase_v.Account='victim@xxxxxxxxxx&print=1
-- Vulnerability 3
Platforms: @Mail 3.52 Demo for Windows NT/2000/XP on Windows 2000
Advanced Server
1. Attacker logs into @Mail web interface.
2. Attacker changes mailbox name in a cookie to victim's mailbox name:
Account&hacker%40somehost.com&SessionID&1064305709fzvpjackee =>
Account&victim%40somehost.com&SessionID&1064305709fzvpjackee
3. Attacker opens web interface of victim's email box by visiting the
following url
- http://www.site.com/parse.pl?file=html/english/xp/xplogin.html.
-- Vulnerability 4
Platforms: @Mail 3.52 Demo for Windows NT/2000/XP on Windows 2000
Advanced Server
http://www.site.com/showmail.pl?Folder=<script>alert(document.cookie)</script>
4. FIX INFORMATION
S-Quadra alerted @Mail's development team to these issues on 02 Dec
2003. No response has been received. No fix available.
5. CREDITS
Nick Gudov <cipher@xxxxxxxxxxxx> is responsible for discovering
this issue.
6. ABOUT
S-Quadra offers services in computer security, penetration testing and
network assesment, web application security, source code review and
third party product vulnerability assesment, forensic support and
reverse engineering.
Security is an art and our goal is to bring responsible and high quality
security service to the IT market, customized to meet the unique needs
of each individual client.
S-Quadra, (pronounced es quadra), is not an acronym.
It's unique, creative and innovative - just like the security services
we bring to our clients.
S-Quadra Advisory #2003-12-09