Secunia
Login
|
|
Secunia Research: @Mail Webmail Attachment Upload Directory Traversal |
|
======================================================================
Secunia Research 01/02/2006
- @Mail Webmail Attachment Upload Directory Traversal -
======================================================================
Table of Contents
Affected Software....................................................1
Severity.............................................................2
Description of Vulnerability.........................................3
Solution.............................................................4
Time Table...........................................................5
Credits..............................................................6
References...........................................................7
About Secunia........................................................8
Verification.........................................................9
======================================================================
1) Affected Software
* @Mail 4.3 for Windows
Other versions may also be affected.
======================================================================
2) Severity
Rating: Moderately Critical
Impact: System access
Where: Remote
======================================================================
3) Description of Vulnerability
Secunia Research has discovered a vulnerability in @Mail Webmail,
which can be exploited by malicious users to compromise a vulnerable
system.
The vulnerability is caused due to the lack of sanitisation of the
"unique" parameter in compose.pl before using the value to construct
a filename for saving an uploaded mail attachment. This can be
exploited to upload files to arbitrary directories on the server with
privileges of the webserver via directory traversal attacks. The
default installation of the Windows version runs the Apache webserver
with SYSTEM privileges.
Successful exploitation allows execution of arbitrary Perl code by
e.g. uploading a Perl file into the webmail directory.
======================================================================
4) Solution
The vendor has provided a source code patch (see vendor's original
advisory).
A patch will be available for download by 2006-02-07.
======================================================================
5) Time Table
30/01/2006 - Initial vendor notification.
30/01/2006 - Initial vendor reply.
01/02/2006 - Vendor releases source code patch.
01/02/2006 - Public disclosure.
======================================================================
6) Credits
Discovered by Tan Chew Keong, Secunia Research.
======================================================================
7) References
CalaCode:
http://kb.atmail.com/view_article.php?num=374
======================================================================
8) About Secunia
Secunia collects, validates, assesses, and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia website:
http://secunia.com/
Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/secunia_security_advisories/
======================================================================
9) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2006-2/advisory/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
|
|
