SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Questions?
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
Sign Up!





Category:  Application (E-mail Server)  >  W3Mail Vendors:  CascadeSoft
W3Mail May Disclose MIME Attachments to Remote Users and May Allow Remote Users to Execute Arbitrary Code
SecurityTracker Alert ID:  1004835
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 25 2002
Impact:  Disclosure of user information, Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Description:  An information disclosure vulnerability was reported in CascadeSoft's W3Mail web-based front end for mail servers. A remote user may be able to access MIME attachments. A remote may also be able to execute arbitrary code on the server.

It is reported that, in certain situations where the web server has been configured with indexing for the MIME attachments directory, a remote user can view arbitrary MIME attachments without authenticating to the server. These attachments are apparently stored temporarily in the MIME attachments directory while a W3Mail user is viewing their mail. According to the report, in W3Mail versions prior to 1.0.3, the MIME attachments directory was not properly cleaned up and attachments remained in the directory even after the W3Mail user had logged out.

If the web server has scripting functions (such as PHP) that apply to the MIME attachments directory, a remtoe user may be able to gain access to the server. A remote user can reportedly send an e-mail containing a MIME attachment executable to a POP3 e-mail account of a W3Mail user. When the recipient opens the e-mail, the attachment file will be temporarily created in the MIME attachments directory. A remote user can then cause the file to be executed by the web server with the privileges of the web server scripting process.

The vendor has reportedly been notified.
Impact:  A remote user may be able to view MIME file attachments belonging to a W3Mail user. A remote user may be able to cause arbitrary code to be executed on the system with the privileges of the web server.
Solution:  No solution was available at the time of this entry.

The author of the report recommends turning off indexing and any server side file execution for the MIME attachments directory.
Vendor URL:  www.cascadesoft.com/ (Links to External Site)
Cause:  Access control error, Configuration error
Underlying OS:  Linux (Any), UNIX (Any), Windows (NT)
Reported By:  Tim Brown <securityfocus@machine.org.uk>
Message History:   None.

 Source Message Contents
Date:  Thu, 25 Jul 2002 13:36:28 +0100
From:  Tim Brown <securityfocus@machine.org.uk>
Subject:  [Full-Disclosure] Medium security hole affecting W3Mail

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I believe I've found a medium level security hole relating to the way W3Mail
stores MIME attachments.  I contacted the authors (CascadeSoft - 
<http://www.cascadesoft.com/>) on the 19th, offering them 14 days to produce 
a fix, but have had no reply to acknowledge that the problem even exists, 
I've decided to publish this warning:

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nth Dimension Security Advisory (NDSA20020719)
Date: 19th July 2002
Author: Tim Brown <mailto:timb@nth-dimension.org.uk>
URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
Product: W3Mail (up to and including 1.0.5) <http://www.w3mail.org/>
Vendor: CascadeSoft <http://www.cascadesoft.com/>
Risk: Medium

Summary

This vulnerability come in 2 related parts.

1) W3Mail can incorrectly expose downloaded MIME attachments without
correct authentication in cases where the Web Server has been
configure with indexing for the MIME attachments storage directory.

2) In cases where the web server has server side scripting of any type
(such as PHP) enabled for the MIME attachments directory, it is
possible to gain remote access as the webserver user typically nobody.

Technical Details

1) Unless indexing for the MIME attachments directory is disabled it
is possible to browse the MIME attachments directory and read
arbitrary attachments.  Prior to release 1.0.3, W3Mail did not
correctly clean up the MIME directory, leaving the attachments there
even after the user whom they belonged to has logged out. In versions
1.0.3 and more recent, providing the user correctly logs out their
attachments will be removed. Note that the attachments will remain as
with 1.0.3 and lower releases if the user simply closes the window
rather than using the correct logout link.

2) By sending a MIME attachment executable by the web server from the
MIME attachments directory to an POP3 account accessed from the W3Mail
web based POP3 client remote access as the webserver user can in
theory be achieved, if the user to whom the mail is sent opens the
malicious email (and thus creates the attachments within the MIME
attachments directory for the lifetime explained in part 1).  Whilst
the attachment exists, the potential intruder can request it via their
browser and therefore have it exected by the web server.  The
attachment must be sent as a none text MIME type in order for the
malicious code to correctly be created. This part of the vulnerability
will work even when directory indexing is turned off for the MIME
attachments directory since attachments are created with their
original name.

This vulnerability can also be exploited on attachments being sent
from W3Mail, although in this case the affect is reduced in versions
from 1.0.3 onwards which clean the attachments directory after the
mail has been sent minimizing the potential time for any attack.

Solutions

In order to completely protect against the vulnerability (in the short
term), Nth Dimension recommend turning off indexing and any server
side file execution for the MIME attachments directory, however it is
our belief that it would be better to rewrite the affected code with a
view to storing attachments (either those being sent or received)
outside the web servers document root.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9PCdVVAlO5exu9x8RAjebAJ97XYkyxJ4q+NjC+1gLL/w+NImLmwCcD1Y8
lSNSbyyXGkYHGocJVfeQk1E=
=kHyN
- -----END PGP SIGNATURE-----

I found it purely by chance, as one of my friends has a web stats utility
running on his W3Mail server - it was listing attachments, and I was
surprised to find that they could be accessed without any authentication -
more shocking still its possible to use this knowledge to upload malicious
code to be executed via a browser.

Cheers,
Tim
- --
Tim Brown
<mailto:netsys@machine.org.uk>
<http://www.machine.org.uk/>


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9P/DaVAlO5exu9x8RAr2fAJ9wufPxde25qnhAIl/gtuqLrpeC3gCg56WF
m3GD0QaRcvBSBVuCwZjTMfY=
=ExLn
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Full-Disclosure@lists.netsys.com
http://lists.netsys.com/mailman/listinfo/full-disclosure


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC