Vulnerability Note VU#743555

@Mail Open webmail client contains multiple vulnerabilities

Original Release date: 22 Mar 2012 | Last revised: 28 Mar 2012

Overview

The @Mail Open 1.04 webmail client contains multiple vulnerabilities including; unrestricted upload of file with dangerous type (CWE-434), relative path traversal (CWE-23), external control of file name or path (CWE-73), and information exposure (CWE-200).

Description

The @Mail Open 1.04 webmail client contains multiple vulnerabilities including the following.

CWE-434: Unrestricted Upload of File with Dangerous Type
An attacker can upload files attached to email letters with dangerous types, such as, .php. This vulnerability can be exploited to upload a backdoor php shell.

CWE-23: Relative Path Traversal
The compose.php script contains a directory traversal vulnerability. An example is below:

hxxps://localhost/compose.php?func=renameattach&unique=/..././..././..././..././..././..././..././..././..././..././..././..././tmp/positive.test%00&Attachment[]=/../../../../../../../../../etc/passwd

CWE-73: External Control of File Name or Path
The compose.php and SendMsg.php scripts can be exploited with the directory traversal attack to copy any file on the system. An example is below:

hxxps://localhost/compose.php?func=renameattach&unique=1.txt%00&Attachment[]=/../../../../../../../../../etc/passwd

As a result, the file will be available at:
hxxps://localhost/tmp/username@host.com/username@host.com-1.txt

The mime.php script can be exploited with the directory traversal attack to read any file on the system. An example is below:

hxxps://localhost/mime.php?file=%0A/../../../../../../../../../etc/passwd&name=positive.html

CWE-200: Information Exposure
The info.php script calls the phpinfo() function that my display sensitive system configuration information.

Additional details may be found in Positive Technologies' PT-2011-48 advisory.

Impact

A remote attacker may be able to read and write to arbitrary files on the system. A backdoor shell may also be uploaded to an affected system.

Solution

Apply an Update
@Mail Open 1.05 has been released to address these vulnerabilities.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
AtMailAffected06 Feb 201220 Mar 2012
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 6.0 AV:N/AC:M/Au:S/C:P/I:P/A:P
Temporal 4.7 E:POC/RL:OF/RC:C
Environmental 4.7 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Sergey Scherbel of Positive Technologies for reporting these vulnerabilities.

This document was written by Jared Allar.

Other Information

  • CVE IDs: Unknown
  • Date Public: 22 Mar 2012
  • Date First Published: 22 Mar 2012
  • Date Last Updated: 28 Mar 2012
  • Severity Metric: 1.34
  • Document Revision: 27

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.