<<< Date Index >>>     <<< Thread Index >>>

JavaMail Information Disclosure (msgno)




"The JavaMail API provides a platform-independent and protocol-independent 
framework to build mail and messaging applications. The JavaMail API is 
implemented as a Java platform optional package and is also available as part 
of the Java 2 platform, Enterprise Edition. JavaMail provides a common, uniform 
API for managing electronic mail. It allows service-providers to provide a 
standard interface to their standards-based or proprietary messaging systems 
using the Java programming language. Using this API, applications access 
message stores, and compose and send messages. The JavaMail API is composed of 
a set of abstract classes that model the various pieces of a typical mail 
system."

The JavaMail API doesn't properly validate authenticated user message number 
attribute, allowing authenticated users to view other's messages.  
 
Vulnerable Systems:
 * Solstice Internet Mail Server POP3 2.0
 * JavaMail API

The JavaMail API doesn't properly validate authenticated user message number 
attribute in MimeMessage constructor javax.mail.internet.InternetHeaders 
object, authenticated user is being able to access to others message requesting 
msgno. First attacker need to login to javamail from web with correct user name 
and password. Then the attacker will be able to request others message through 
msgno. Which means the attacker will be able to view all message from server.

The MimeMessage constructor holds its headers in 
javax.mail.internet.InternetHeaders object. This object, when constructed with 
an InputStream, reads lines from the stream until it reaches the blank line 
that indicates end of header. It stores the lines as RFC822 header-fields. 
After the InternetHeaders object reads from the input stream, the stream is 
positioned at the start of the message body.

The POP3 implementation uses this constructor to load the message headers when 
one is requested:
public class POP3Message extends MimeMessage {
//Keep track of whether the Message data has been loaded
boolean loaded = false;
int hdrSize;
...
public String[] getHeader(String name) {
//Get the headers on demand from the message store
load();
// Don't need to reimplement getting the header object's contents
return super.getHeader(name);
}
/*** Reimplement all variants of getHeader() as above ***/
...
private synchronized void load() {
if (!loaded) {
// Get message data (headers and content) and cache it
content = POP3Command("RETR", msgno);
// Open a stream to the cache
InputStream is = new ByteArrayInputStream(content);
// Setup "headers" field by getting the header data
headers = new InternetHeaders(is);
// Save header size to easily access msg content from cache
hdrSize = content.length - is.available();
loaded = true;

This line make authenticated user to able to view others message through msgno :
content = POP3Command("RETR", msgno);

When user login and view his message and he may notice that
http://javamaildomain.com/ReadMessage.jsp?msgno=1000

User can do easily change msgno to whatever he want. If he entre valid message 
no, then he will be able to view others message.
http://javamaildomain.com/ReadMessage.jsp?msgno=10001
http://javamaildomain.com/ReadMessage.jsp?msgno=10002

Will not be his message number. And now user may know that he is accessing 
others message.