PT-2011-48: Multiple Vulnerabilities in AtMail

Vulnerable software

Webmail Interface AtMail 
Version: 1.04 and earlier

Application link:

Severity level

Severity level: High 
Impact: Multiple vulnerabilities 
Access Vector: Network exploitable 

CVSS v2: 
Base Score: 9.0 
Vector: (AV:N/AC:L/Au:S/C:C/I:C/A:C)

CVE: not assigned

Software description

AtMail is an open source webmail client.

Vulnerability description

Specialists from the Positive Technologies Research Center have revealed multiple vulnerabilities in the AtMail webmail interface.

1. Arbitrary Files Loading
The system allows one to load files attached to email letters. File extension is not checked; thus, arbitrary files including .php files can be downloaded.
As a result, the file will be available at:

2. Path Traversal
Vulnerability in the file: /compose.php
Vulnerable code fragment:
$var['unique'] = preg_replace('/\.\.\//', '', $var['unique']);
The substring "../" is deleted from the $var['unique'] parameter, but the process is not recursive. Thus, if the parameter contains a substring "..././", than the substring "../" will be left after deletion.
As a result, Path Traversal attacks are possible.
Exploitation example:

3. Arbitrary Files Copying
The system allows one to copy the attached files. The name of the file to be copied is not checked, so an arbitrary file can be copied.
The name of the file to be created is not checked for special characters (e.g. null bytes), which allows one to create a file with arbitrary extension.
Furthermore, an attacker will be able to create this file in an arbitrary directory if he/she exploits the Path Traversal vulnerability described above.
Vulnerability in the files:
/libs/Atmail/SendMsg.php (the methods "renameattach" и "copyFile")
Exploitation example:
As a result, the file will be available at:

4. Arbitrary Files Reading
The name of the file being read is improperly verified. Filtering mechanism can be bypassed. It allows attackers to read arbitrary files.
Vulnerability in the file: mime.php
Vulnerable code fragment:
$var['src'] = rawurldecode($_REQUEST['file']);
$var['src'] = preg_replace('/^.+[\\\\\\/]/', '', $var['src']); // Don't allow to go down a dir,
sanity check
If the file name contains a slash (‘/’), then all characters before it will be deleted.
However, the regular expression doesn’t use the ‘s’ modifier, and the %0a character will be recognized as two characters (linefeed + carriage return).
The control symbol ‘.’ without the ‘s’ modifier can replace only one character in a regular expression; thus, only characters before %0a will be checked.
Exploitation example:

5. Sensitive Information Disclosure
The file info.php calls the function phpinfo(), which displays information about the system configuration. https://localhost/install/info.php

How to fix

Update your software up to the latest version

Advisory status

06.12.2011 - Vendor is notified
06.02.2012 - Vulnerability details were sent to CERT
26.03.2012 - Vendor releases fixed version and details
26.03.2012 - Public disclosure


The vulnerability was discovered by Sergey Scherbel, Positive Research Center (Positive Technologies Company)


Reports on the vulnerabilities previously discovered by Positive Research: