SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (E-mail Server)  >   Open WebMail Vendors:   openwebmail.org
Open WebMail Discloses User and Group Account ID Information to Remote Users
SecurityTracker Alert ID:  1005688
SecurityTracker URL:  http://securitytracker.com/id/1005688
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 23 2002
Impact:   Disclosure of system information
Exploit Included:  Yes  
Version(s): 1.71
Description:   An information disclosure vulnerability was reported in Open WebMail. A remote user can determine the user id and group id of the WebMail scripts.

It is reported that a remote user can connect to the server and enter an invalid username to cause the server to disclose some internal system information. According to the report, the server will disclose the user id (uid) and group id (gid) of the Open WebMail process, such as is shown below:

euid=0, egid=80 80 80, mailgid=6
Impact:   A remote user can determine the user id and group id of the Open WebMail process on the server.
Solution:   No solution was available at the time of this entry.
Vendor URL:  openwebmail.org/ (Links to External Site)
Cause:   Access control error, Exception handling error
Underlying OS:   UNIX (Any)

Message History:   None.

 Source Message Contents
Date:  Tue, 19 Nov 2002 09:30:10 -0300
Subject:  Open WebMail 1.71 "background" magic info


Hello Folks,

Open Webmail is a perl webmail program that runs on UNIX operational systems. 
For more about Open WebMail, itīs official website is http://openwebmail.org/.

Ok, letīs talk about the problem.

Iīve tested Open WebMail 1.71 an when you enter an invalid username (user 
that doesnīt exist on the system), the 
WebMail returns to you a "very nice screen" like it:

---
Open WebMail ERROR 

user does not exist 

Open WebMail version 1.71 
---

Ok, now try to copy with your mouse the all message that returned to you, 
and...

---
Open WebMail ERROR 

user does not exist 
euid=0, egid=80 80 80, mailgid=6 

Open WebMail version 1.71 
---

...KABOOM! Look what magically appears:

"euid=0, egid=80 80 80, mailgid=6"

allright, letīs verify the information:

ps aux
root        9044  0.0  3.0  3248 2776  ??  R    10:29AM   
0:00.40 /usr/bin/perl -T /usr/local/www/cgi-bin/openwebmail/.openwebmail.pl

As you can see above, the perl scrip run as root, and we can know it just 
with the "magically information" that appears on the "very nice screen".

Thatīs could be the begin for an attack... know information. 

Yeah guys, something is wrong... Some information is better than we can 
imagine, and some information like it to the wrong (or right) guys... :)

Hugs,

Felipe Neuwald
felipe@freebsdbr.com.br

--
FreeBSDbr.com.br


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC