PT-2011-48: Multiple Vulnerabilities in AtMail
Vulnerable software
Webmail Interface AtMail
Version: 1.04 and earlier
Application link:
http://atmail.org/
Severity level
Severity level: High
Impact: Multiple vulnerabilities
Access Vector: Network exploitable
CVSS v2:
Base Score: 9.0
Vector: (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CVE: not assigned
Software description
AtMail is an open source webmail client.
Vulnerability description
Specialists from the Positive Technologies Research Center have revealed multiple vulnerabilities in the AtMail webmail interface.
1. Arbitrary Files Loading
The system allows one to load files attached to email letters. File extension is not checked; thus, arbitrary files including .php files can be downloaded.
As a result, the file will be available at:
https://localhost/tmp/username@host.com/username@host.com-string-PositiveShell.php
2. Path Traversal
Vulnerability in the file: /compose.php
Vulnerable code fragment:
$var['unique'] = preg_replace('/\.\.\//', '', $var['unique']);
The substring "../" is deleted from the $var['unique'] parameter, but the process is not recursive. Thus, if the parameter contains a substring "..././", than the substring "../" will be left after deletion.
As a result, Path Traversal attacks are possible.
Exploitation example:
https://localhost/compose.php?
func=renameattach&unique=/..././..././..././..././..././..././..././..././..././..././..././.../
./tmp/positive.test%00&Attachment[]=/../../../../../../../../../etc/passwd
3. Arbitrary Files Copying
The system allows one to copy the attached files. The name of the file to be copied is not checked, so an arbitrary file can be copied.
The name of the file to be created is not checked for special characters (e.g. null bytes), which allows one to create a file with arbitrary extension.
Furthermore, an attacker will be able to create this file in an arbitrary directory if he/she exploits the Path Traversal vulnerability described above.
Vulnerability in the files:
/compose.php
/libs/Atmail/SendMsg.php (the methods "renameattach" и "copyFile")
Exploitation example:
https://localhost/compose.php?func=renameattach&unique=1.txt%00&Attachment[]
=/../../../../../../../../../etc/passwd
As a result, the file will be available at:
https://localhost/tmp/username@host.com/username@host.com-1.txt
4. Arbitrary Files Reading
The name of the file being read is improperly verified. Filtering mechanism can be bypassed. It allows attackers to read arbitrary files.
Vulnerability in the file: mime.php
Vulnerable code fragment:
$var['src'] = rawurldecode($_REQUEST['file']);
$var['src'] = preg_replace('/^.+[\\\\\\/]/', '', $var['src']); // Don't allow to go down a dir,
sanity check
If the file name contains a slash (‘/’), then all characters before it will be deleted.
However, the regular expression doesn’t use the ‘s’ modifier, and the %0a character will be recognized as two characters (linefeed + carriage return).
The control symbol ‘.’ without the ‘s’ modifier can replace only one character in a regular expression; thus, only characters before %0a will be checked.
Exploitation example:
https://localhost/mime.php?file=%0A/../../../../../../../../../etc/passwd&name=positive.html
5. Sensitive Information Disclosure
The file info.php calls the function phpinfo(), which displays information about the system configuration. https://localhost/install/info.php
How to fix
Update your software up to the latest version
Advisory status
06.12.2011 - Vendor is notified
06.02.2012 - Vulnerability details were sent to CERT
26.03.2012 - Vendor releases fixed version and details
26.03.2012 - Public disclosure
Credits
The vulnerability was discovered by Sergey Scherbel, Positive Research Center (Positive Technologies Company)
References
http://en.securitylab.ru/lab/PT-2011-48
http://www.kb.cert.org/vuls/id/743555
Reports on the vulnerabilities previously discovered by Positive Research:
http://ptsecurity.com/research/advisory/
http://en.securitylab.ru/lab/
