SecurityTracker.com Archives - Mailread.com POP Mail Software Input Validation Bugs Let Remote Users Read Files and Execute Commands on the System

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (E-mail Server) > Mailreader.com

Vendors: Mailreader.com

Mailread.com POP Mail Software Input Validation Bugs Let Remote Users Read Files and Execute Commands on the System

SecurityTracker Alert ID: 1005494

SecurityTracker URL: http://securitytracker.com/id?1005494

CVE Reference: CAN-2002-1581 , CAN-2002-1582 (Links to External Site)

Updated: Jul 6 2004

Original Entry Date: Oct 29 2002

Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network

Fix Available: Yes Exploit Included: Yes Vendor Confirmed: Yes

Advisory: SCAN Associates

Version(s): 2.3.31 and prior versions

Description: Two vulnerabilities were reported in the Mailreader.com POP mail viewer. A remote user can read files and execute arbitrary commands on the system.

SCAN Associates reported that the product contains multiple input validation flaws. A remote user can use null byte poisoning to overwrite the 'configLanguage' value to display arbitrary files on the system that are readable by the web server [CVE: CAN-2002-1581]. A demonstration exploit URL is provided:

http://192.168.0.1/cgi-bin/mail/nph-mr.cgi?do=loginhelp&configLanguage=../..
/../../../../../etc/passwd%00

It is reported that a remote user can also overwrite the 'configSMTPServers' value in version 2.3.30 and 2.3.31 to specify sendmail as the mail transfer agent. According to the report, the 'compose.cgi' script does not properly filter the $CONFIG{RealEmail} variable and uses the '$from' variable that is specified in the 'network.cgi' script. A remote user can send a specially crafted value to execute arbitrary shell commands with the privileges of the web daemon [CVE: CAN-2002-1582].

Impact: A remote user can read files on the system that are readable by the web server. A remote user can execute arbitrary shell commands on the system with the privileges of the web daemon.

Solution: The vendor has released a fixed version (2.3.33), available at:

http://www.mailreader.com/download/

Vendor URL: www.mailreader.com/ (Links to External Site)

Cause: Input validation error

Underlying OS: Linux (Any), UNIX (Any), Windows (Any)

Reported By: pokleyzz <pokleyzz@scan-associates.net>

Message History: This archive entry has one or more follow-up message(s) listed below.

Jul 23 2004

(Debian Issues Fix) Mailread.com POP Mail Software Input Validation Bugs Let Remote Users Read Files and Execute Commands on the System (Matt Zimmerman <mdz@debian.org>)
Debian has released a fix.

Source Message Contents

Date: Mon, 28 Oct 2002 17:48:04 +0800
From: pokleyzz <pokleyzz@scan-associates.net>
Subject: SCAN Associates Advisory : Multiple vurnerabilities on mailreader.com

 

Products: Mailreader.com v 2.3.31 and below (http://www.mailreader.com)
Date: 28 October 2002
Author:  pokleyzz <pokleyzz@scan-associates.net>
Contributors: sk@scan-associates.net shaharil@scan-associates.net

Description
===========
Mailreader.com (http://www.mailreader.com) is  web base pop3 email 
reader written in perl.

Details
=======
There is multiple vurnerabilities in this package as describe below.

1) Read any text file

By default mailreader install with language support.  There is no proper
error checking in configLanguage input.Using nullbyte poisoning  we can 
easily overwrite that value with any file we want and cause mailreader to 
display the file content.
ex:

http://192.168.0.1/cgi-bin/mail/nph-mr.cgi?do=loginhelp&configLanguage=../..
/../../../../../etc/passwd%00

Affected version :  <=  Mailreader.com v2.3.31


2) Remote command execution

Mailreader allow user to specify their own mail server so any user can
login and use the mailreader . User also can overwrite SMTPServers 
configuration using configSMTPServers input.  For version 2.3.30 and above
there is an option to use sendmail as mail transfer agent.  There is poor 
error checking for $CONFIG{RealEmail} in compose.cgi which will use as $from in
network.cgi.
 
from network.cgi line 372:

	if ($server =~ /[.]*sendmail/) {
		# close the file 'cause it isn't needed
		close FILE;

		# send the file
		my $res = `$server -U -f$from -t -i < $filename`;

		# and escape
		return 1;
	}

This will allow user to include value that will escape to shell and run 
arbitrary command as web user.

Affected version : Mailreader.com v2.3.30 and Mailreader.com v2.3.31

Vendor Response 
=============== 
Vendor has been contacted on 23/10/2002 and new version of Mailreader.com  
is available.

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2004, SecurityGlobal.net LLC