-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I believe I've found a medium level security hole relating to the way W3Mail stores MIME attachments. I contacted the authors (CascadeSoft - <http://www.cascadesoft.com/>) on the 19th, offering them 14 days to produce a fix, but have had no reply to acknowledge that the problem even exists, I've decided to publish this warning: - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Nth Dimension Security Advisory (NDSA20020719) Date: 19th July 2002 Author: Tim Brown <mailto:timb@nth-dimension.org.uk> URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/> Product: W3Mail (up to and including 1.0.5) <http://www.w3mail.org/> Vendor: CascadeSoft <http://www.cascadesoft.com/> Risk: Medium Summary This vulnerability come in 2 related parts. 1) W3Mail can incorrectly expose downloaded MIME attachments without correct authentication in cases where the Web Server has been configure with indexing for the MIME attachments storage directory. 2) In cases where the web server has server side scripting of any type (such as PHP) enabled for the MIME attachments directory, it is possible to gain remote access as the webserver user typically nobody. Technical Details 1) Unless indexing for the MIME attachments directory is disabled it is possible to browse the MIME attachments directory and read arbitrary attachments. Prior to release 1.0.3, W3Mail did not correctly clean up the MIME directory, leaving the attachments there even after the user whom they belonged to has logged out. In versions 1.0.3 and more recent, providing the user correctly logs out their attachments will be removed. Note that the attachments will remain as with 1.0.3 and lower releases if the user simply closes the window rather than using the correct logout link. 2) By sending a MIME attachment executable by the web server from the MIME attachments directory to an POP3 account accessed from the W3Mail web based POP3 client remote access as the webserver user can in theory be achieved, if the user to whom the mail is sent opens the malicious email (and thus creates the attachments within the MIME attachments directory for the lifetime explained in part 1). Whilst the attachment exists, the potential intruder can request it via their browser and therefore have it exected by the web server. The attachment must be sent as a none text MIME type in order for the malicious code to correctly be created. This part of the vulnerability will work even when directory indexing is turned off for the MIME attachments directory since attachments are created with their original name. This vulnerability can also be exploited on attachments being sent from W3Mail, although in this case the affect is reduced in versions from 1.0.3 onwards which clean the attachments directory after the mail has been sent minimizing the potential time for any attack. Solutions In order to completely protect against the vulnerability (in the short term), Nth Dimension recommend turning off indexing and any server side file execution for the MIME attachments directory, however it is our belief that it would be better to rewrite the affected code with a view to storing attachments (either those being sent or received) outside the web servers document root. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9PCdVVAlO5exu9x8RAjebAJ97XYkyxJ4q+NjC+1gLL/w+NImLmwCcD1Y8 lSNSbyyXGkYHGocJVfeQk1E= =kHyN - -----END PGP SIGNATURE----- I found it purely by chance, as one of my friends has a web stats utility running on his W3Mail server - it was listing attachments, and I was surprised to find that they could be accessed without any authentication - more shocking still its possible to use this knowledge to upload malicious code to be executed via a browser. Cheers, Tim - -- Tim Brown <mailto:securityfocusat_private> <http://www.machine.org.uk/> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9P/ENVAlO5exu9x8RAuuzAKCbbljnLAKEftare4krCyeeNmejlACaAzvG IVRQ6njpiwVSogiMPPZFgFE= =p/4l -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Thu Jul 25 2002 - 08:13:12 PDT