PT-2011-48: Multiple Vulnerabilities in AtMail Vulnerable softwareWebmail Interface AtMail Version: 1.04 and earlierApplication link: http://atmail.org/Severity levelSeverity level: High Impact: Multiple vulnerabilities Access Vector: Network exploitable CVSS v2: Base Score: 9.0 Vector: (AV:N/AC:L/Au:S/C:C/I:C/A:C)CVE: not assignedSoftware description AtMail is an open source webmail client.Vulnerability descriptionSpecialists from the Positive Technologies Research Center have revealed multiple vulnerabilities in the AtMail webmail interface.1. Arbitrary Files Loading The system allows one to load files attached to email letters. File extension is not checked; thus, arbitrary files including .php files can be downloaded. As a result, the file will be available at: https://localhost/tmp/username@host.com/username@host.com-string-PositiveShell.php2. Path Traversal Vulnerability in the file: /compose.php Vulnerable code fragment: $var['unique'] = preg_replace('/\.\.\//', '', $var['unique']); The substring "../" is deleted from the $var['unique'] parameter, but the process is not recursive. Thus, if the parameter contains a substring "..././", than the substring "../" will be left after deletion. As a result, Path Traversal attacks are possible. Exploitation example: https://localhost/compose.php? func=renameattach&unique=/..././..././..././..././..././..././..././..././..././..././..././.../ ./tmp/positive.test%00&Attachment[]=/../../../../../../../../../etc/passwd3. Arbitrary Files Copying The system allows one to copy the attached files. The name of the file to be copied is not checked, so an arbitrary file can be copied. The name of the file to be created is not checked for special characters (e.g. null bytes), which allows one to create a file with arbitrary extension. Furthermore, an attacker will be able to create this file in an arbitrary directory if he/she exploits the Path Traversal vulnerability described above. Vulnerability in the files: /compose.php /libs/Atmail/SendMsg.php (the methods "renameattach" и "copyFile") Exploitation example: https://localhost/compose.php?func=renameattach&unique=1.txt%00&Attachment[] =/../../../../../../../../../etc/passwd As a result, the file will be available at: https://localhost/tmp/username@host.com/username@host.com-1.txt4. Arbitrary Files Reading The name of the file being read is improperly verified. Filtering mechanism can be bypassed. It allows attackers to read arbitrary files. Vulnerability in the file: mime.php Vulnerable code fragment: $var['src'] = rawurldecode($_REQUEST['file']); $var['src'] = preg_replace('/^.+[\\\\\\/]/', '', $var['src']); // Don't allow to go down a dir, sanity check If the file name contains a slash (‘/’), then all characters before it will be deleted. However, the regular expression doesn’t use the ‘s’ modifier, and the %0a character will be recognized as two characters (linefeed + carriage return). The control symbol ‘.’ without the ‘s’ modifier can replace only one character in a regular expression; thus, only characters before %0a will be checked. Exploitation example: https://localhost/mime.php?file=%0A/../../../../../../../../../etc/passwd&name=positive.html5. Sensitive Information Disclosure The file info.php calls the function phpinfo(), which displays information about the system configuration. https://localhost/install/info.phpHow to fixUpdate your software up to the latest versionAdvisory status06.12.2011 - Vendor is notified 06.02.2012 - Vulnerability details were sent to CERT 26.03.2012 - Vendor releases fixed version and details 26.03.2012 - Public disclosureCreditsThe vulnerability was discovered by Sergey Scherbel, Positive Research Center (Positive Technologies Company)Referenceshttp://en.securitylab.ru/lab/PT-2011-48 http://www.kb.cert.org/vuls/id/743555 Reports on the vulnerabilities previously discovered by Positive Research: http://ptsecurity.com/research/advisory/ http://en.securitylab.ru/lab/