[16734] in bugtraq
(SRADV00003) Arbitrary file disclosure through IMP
daemon@ATHENA.MIT.EDU (Secure Reality Advisories)
Tue Sep 12 17:18:17 2000
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0106_01C01D02.2B304E20"
Message-Id: <010901c01cae$59a44940$6d32a4cb@rivrw1.nsw.optushome.com.au>
Date: Tue, 12 Sep 2000 21:41:11 +1000
Reply-To: Secure Reality Advisories <create@SECUREREALITY.COM.AU>
From: Secure Reality Advisories <create@SECUREREALITY.COM.AU>
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_0106_01C01D02.2B304E20
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Secure Reality Pty Ltd. Security Advisory #3 (SRADV00003)
http://www.securereality.com.au
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
[Title]
Arbitrary file disclosure through IMP
[Released]
12/09/2000
[Vulnerable]
Most (all?) versions of IMP < 2.2.1=20
[Overview]
IMP is an extremely powerful and widespread webmail application in PHP. =
In investigating the PHP file upload issue discussed in SRADV0001 we =
tested many popular PHP scripts which supported file upload. All of them =
were vulnerable to the problem in the form given, except IMP. By luck it =
managed to avoid this problem, it is however still vulnerable to =
arbitrary disclosure of files readable by the web user (typically =
'nobody') via an alternative method.
Shame we released this advisory a little late, for those not aware a =
serious bug has been found in Horde (a library that IMP uses) that =
allows remote command execution. For more detail on this problem see =
http://www.securityfocus.com/templates/archive.pike?mid=3D81141&threads=3D=
0&end=3D2000-09-09&start=3D2000-09-03&list=3D1&fromthread=3D0. This =
means most users will (hopefully) have updated at least the Horde =
library to the latest version, however, those who only updated the Horde =
library and not IMP in addition will be vulnerable to this problem.
[Impact]
File Disclosure
[Detail]
IMP is not vulnerable to most forms of the method described in =
SRADV00001 because it to copy the specified file to its current =
location with .att appended. That is, if the filename were =
'/etc/passwd', it attempts to copy the file to '/etc/passwd.att'. This =
will almost always fail, since the web user is unlikely to have access =
to write files in the directories specified.
However, IMP makes the mistake of storing hidden variables in a form =
which if modified can cause insecure behaviour. In order to keep track =
of the attachments for an email being composed in compose.php, it stores =
in the form variables like the following
<input type=3D"hidden" name=3D"attachments_name[]" =
value=3D"hello.txt">
<input type=3D"hidden" name=3D"attachments_size[]" value=3D"68">
<input type=3D"hidden" name=3D"attachments_file[]" =
value=3D"/var/tmp/phpAAA0kwGF6.att">
<input type=3D"hidden" name=3D"attachments_type[]" =
value=3D"text/plain">
Modifying the attachments_name[] hidden variable will cause IMP to email =
as an attachment any file it can read with web user privleges. =
Additionally it will try to unlink this file once complete, which could =
potentially be used to cause damage.
[Fix]
Please upgrade to the latest versions:
IMP 2.2.1 ftp://ftp.horde.org/pub/imp/
Horde 1.2.1 ftp://ftp.horde.org/pub/horde/
[Credits]
Our thanks to Chuck Hagenbuch, a member of the IMP team for his =
assistance in quickly fixing this problem and cutting a new version.
[Disclaimer]
Advice, directions and instructions on security vulnerabilities in this
advisory do not constitute: an endorsement of illegal behaviour; a =
guarantee
that protection measures will work; an endorsement of any product or
solution or recommendations on behalf of Secure Reality Pty Ltd. Content =
is
provided as is and Secure Reality does not accept responsibity for any
damange or injury caused as a result of its use.
------=_NextPart_000_0106_01C01D02.2B304E20
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2919.6307" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial=20
size=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D<BR>Secure Reality Pty=20
Ltd. Security Advisory #3 (SRADV00003)<BR><A=20
href=3D"http://www.securereality.com.au">http://www.securereality.com.au<=
/A><BR>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D<BR><BR>[Title]<BR>Arbitrary=20
file disclosure through=20
IMP<BR><BR>[Released]<BR>12/09/2000<BR><BR>[Vulnerable]</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Most (all?) versions of IMP < 2.2.1=20
<BR></FONT></DIV>
<DIV><FONT face=3DArial size=3D2>[Overview]</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>IMP is an extremely powerful and =
widespread webmail=20
application in PHP. In investigating the PHP file upload issue discussed =
in=20
SRADV0001 we tested many popular PHP scripts which supported file =
upload. All of=20
them were vulnerable to the problem in the form given, except =
IMP. By luck=20
it managed to avoid this problem, it is however still vulnerable to =
arbitrary=20
disclosure of files readable by the web user (typically 'nobody') via an =
alternative method.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Shame we released this advisory a =
little late, for=20
those not aware a serious bug has been found in Horde (a library that =
IMP uses)=20
that allows remote command execution. For more detail on this problem =
see <A=20
href=3D"http://www.securityfocus.com/templates/archive.pike?mid=3D81141&a=
mp;threads=3D0&end=3D2000-09-09&start=3D2000-09-03&list=3D1&a=
mp;fromthread=3D0">http://www.securityfocus.com/templates/archive.pike?mi=
d=3D81141&threads=3D0&end=3D2000-09-09&start=3D2000-09-03&=
;list=3D1&fromthread=3D0</A>.=20
This means most users will (hopefully) have updated at least the Horde =
library=20
to the latest version, however, those who only updated the Horde library =
and not=20
IMP in addition will be vulnerable to this problem.<BR></FONT></DIV>
<DIV><FONT face=3DArial size=3D2>[Impact]<BR>File =
Disclosure</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>[Detail]</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>IMP is not vulnerable to most forms of =
the method=20
described in SRADV00001 because it to copy the specified file =
to its=20
current location with .att appended. That is, if the filename were=20
'/etc/passwd', it attempts to copy the file to '/etc/passwd.att'. This =
will=20
almost always fail, since the web user is unlikely to have access to =
write files=20
in the directories specified.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>However, IMP makes the mistake of =
storing hidden=20
variables in a form which if modified can cause insecure behaviour. In =
order to=20
keep track of the attachments for an email being composed in =
compose.php, it=20
stores in the form variables like the following</FONT></DIV>
<DIV><FONT face=3DArial size=3D2> <input =
type=3D"hidden"=20
name=3D"attachments_name[]" =
value=3D"hello.txt"><BR> =20
<input type=3D"hidden" name=3D"attachments_size[]"=20
value=3D"68"><BR> <input type=3D"hidden"=20
name=3D"attachments_file[]"=20
value=3D"/var/tmp/phpAAA0kwGF6.att"><BR> =
<input=20
type=3D"hidden" name=3D"attachments_type[]" =
value=3D"text/plain"><BR></FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Modifying the attachments_name[] hidden =
variable=20
will cause IMP to email as an attachment any file it can read with web =
user=20
privleges. Additionally it will try to unlink this file once complete, =
which=20
could potentially be used to cause damage.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2><BR>[Fix]</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Please upgrade to the latest =
versions:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>IMP 2.2.1 <A=20
href=3D"ftp://ftp.horde.org/pub/imp/">ftp://ftp.horde.org/pub/imp/</A></F=
ONT></DIV>
<DIV><FONT face=3DArial size=3D2>Horde 1.2.1 <A=20
href=3D"ftp://ftp.horde.org/pub/horde/">ftp://ftp.horde.org/pub/horde/</A=
><BR></DIV>
<DIV></FONT><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>[Credits]</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Our thanks to Chuck Hagenbuch, a member =
of the IMP=20
team for his assistance in quickly fixing this problem and cutting a new =
version.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2><BR>[Disclaimer]<BR>Advice, directions =
and=20
instructions on security vulnerabilities in this<BR>advisory do not =
constitute:=20
an endorsement of illegal behaviour; a guarantee<BR>that protection =
measures=20
will work; an endorsement of any product or<BR>solution or =
recommendations on=20
behalf of Secure Reality Pty Ltd. Content is<BR>provided as is and =
Secure=20
Reality does not accept responsibity for any<BR>damange or injury caused =
as a=20
result of its use.<BR></DIV></FONT></BODY></HTML>
------=_NextPart_000_0106_01C01D02.2B304E20--
