popper_mod 1.2.1 and previous accounts compromise

From: matthewat_private
Date: Sat Mar 30 2002 - 05:50:19 PST

Next message: Elia Florio: "Outlook Express Attach Execution Exploit (img tag + innerHTML + TIF dos name)"

Previous message: Konstantin Riabitsev: "Re: squirrelmail 1.2.5 email user can execute command"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

description: popper_mod is a free, full featured web based POP3 email client written in PHP. It is an extension of the now abandoned "popper" project. 
It can be downloaded from http://www.symatec-computer.com/forums/

bug report: popper_mod 1.2.1 relied on administrators using htaccess authentication to protect the administration PHP script.  Unfortunately, I have found no administrator yet who has protected their admin script access.  

exploit: simply go to http://www.targetdomain.com/mail/admin  
Your identity as administrator is not verified in anyway, and the complete list of user accounts including the passwords is revealed.  You can also delete accounts, manipulate settings, and modify accounts.

fix: popper_mod 1.2.2 and above require the administrator to log in with a username and password.  As of this advisory, latest version is 1.2.3 which can be downloaded from http://www.symatec-computer.com/forums/viewtopic.php?t=14

Next message: Elia Florio: "Outlook Express Attach Execution Exploit (img tag + innerHTML + TIF dos name)"
Previous message: Konstantin Riabitsev: "Re: squirrelmail 1.2.5 email user can execute command"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Apr 02 2002 - 15:19:14 PST