[27843] in bugtraq
Fresh hole in W3Mail (fwd)
daemon@ATHENA.MIT.EDU (Tim Brown)
Tue Nov 12 23:14:35 2002
Date: Tue, 12 Nov 2002 23:28:44 +0000 (GMT)
From: Tim Brown <securityfocus@machine.org.uk>
To: bugtraq@securityfocus.com
Message-ID: <Pine.SOL.4.44.0211122327000.23213-200000@london.uk.nth-dimension.org.uk>
MIME-Version: 1.0
Content-Type: MULTIPART/Mixed; BOUNDARY="-559023410-758783491-1037140721=:23032"
Content-ID: <Pine.SOL.4.44.0211122327330.23213@london.uk.nth-dimension.org.uk>
---559023410-758783491-1037140721=:23032
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.SOL.4.44.0211122327331.23213@london.uk.nth-dimension.org.uk>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
The attached advisory supercedes my previous effort regarding W3Mail
(NDSA20020719). It seems that in fixing the original holes, CascadeSoft
introduced a new one.
Their fix for the original hole was as I suggested, to move the MIME
attachments data from the web server document root. Unfortunately, the
script they wrote to allow users to access the attachment, does no
checking about the validity of the file argument, allowing you to request
any file that is readable by the web server user.
The vendor has been notified, but since they never bothered to
acknowledge our contact last time, we're expecting no official response.
Hopefully this time they will be able to correct the bug in less than 4
months.
Cheers,
Tim
- --
Tim Brown
<mailto:securityfocus@machine.org.uk>
<http://www.machine.org.uk/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (SunOS)
Comment: For info see http://quantumlab.net/pine_privacy_guard/
iD8DBQE90Y64VAlO5exu9x8RAhG2AJ992byF0moWXFBaSWOi2aWhkAcfhgCgtAwQ
Nq6Yh27JqstnYwPlg0kSHVs=
=o+mg
-----END PGP SIGNATURE-----
---559023410-758783491-1037140721=:23032
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="NDSA20021112.txt.asc"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.SOL.4.44.0211122238410.23032@london.uk.nth-dimension.org.uk>
Content-Description:
Content-Disposition: ATTACHMENT; FILENAME="NDSA20021112.txt.asc"
LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQ0KSGFzaDogU0hB
MQ0KDQpOdGggRGltZW5zaW9uIFNlY3VyaXR5IEFkdmlzb3J5IChORFNBMjAw
MjExMTIpDQpEYXRlOiAxMnRoIE5vdmVtYmVyIDIwMDINCkF1dGhvcjogVGlt
IEJyb3duIDxtYWlsdG86dGltYkBudGgtZGltZW5zaW9uLm9yZy51az4NClVS
TDogPGh0dHA6Ly93d3cubnRoLWRpbWVuc2lvbi5vcmcudWsvPiAvIDxodHRw
Oi8vd3d3Lm1hY2hpbmUub3JnLnVrLz4NClByb2R1Y3Q6IFczTWFpbCAodXAg
dG8gYW5kIGluY2x1ZGluZyAxLjAuNikgPGh0dHA6Ly93d3cudzNtYWlsLm9y
Zy8+DQpWZW5kb3I6IENhc2NhZGVTb2Z0IDxodHRwOi8vd3d3LmNhc2NhZGVz
b2Z0LmNvbS8+DQpSaXNrOiBNZWRpdW0NClN1cGVyc2VkZXM6IE5EU0EyMDAy
MDcxOQ0KDQpTdW1tYXJ5DQoNClRoaXMgdnVsbmVyYWJpbGl0eSBjb21lcyBp
biAzIHJlbGF0ZWQgcGFydHMuDQoNCk9uIDEuMC41IGFuZCBlYXJsaWVyIHJl
bGVhc2VzOg0KMSkgVzNNYWlsIGNhbiBpbmNvcnJlY3RseSBleHBvc2UgZG93
bmxvYWRlZCBNSU1FIGF0dGFjaG1lbnRzIHdpdGhvdXQNCmNvcnJlY3QgYXV0
aGVudGljYXRpb24gaW4gY2FzZXMgd2hlcmUgdGhlIHdlYiBzZXJ2ZXIgaGFz
IGJlZW4NCmNvbmZpZ3VyZSB3aXRoIGluZGV4aW5nIGZvciB0aGUgTUlNRSBh
dHRhY2htZW50cyBzdG9yYWdlIGRpcmVjdG9yeS4NCg0KMikgSW4gY2FzZXMg
d2hlcmUgdGhlIHdlYiBzZXJ2ZXIgaGFzIHNlcnZlciBzaWRlIHNjcmlwdGlu
ZyBvZiBhbnkgdHlwZQ0KKHN1Y2ggYXMgUEhQKSBlbmFibGVkIGZvciB0aGUg
TUlNRSBhdHRhY2htZW50cyBkaXJlY3RvcnksIGl0IGlzDQpwb3NzaWJsZSB0
byBnYWluIHJlbW90ZSBhY2Nlc3MgYXMgdGhlIHdlYiBzZXJ2ZXIgdXNlciB0
eXBpY2FsbHkgbm9ib2R5Lg0KDQpPbiAxLjAuNjoNCjMpIFczTWFpbCBjYW4g
YmUgbWFkZSB0byByZXRyaWV2ZSBhbnkgZmlsZSB0byB3aGljaCB0aGUgd2Vi
IHNlcnZlciB1c2VyIGhhcyANCnJlYWQgYWNjZXNzIChmb3IgZXhhbXBsZSAv
ZXRjL3Bhc3N3ZCkuDQoNClRlY2huaWNhbCBEZXRhaWxzDQoNCk9uIDEuMC41
IGFuZCBlYXJsaWVyIHJlbGVhc2VzOg0KMSkgVW5sZXNzIGluZGV4aW5nIGZv
ciB0aGUgTUlNRSBhdHRhY2htZW50cyBkaXJlY3RvcnkgaXMgZGlzYWJsZWQg
aXQNCmlzIHBvc3NpYmxlIHRvIGJyb3dzZSB0aGUgTUlNRSBhdHRhY2htZW50
cyBkaXJlY3RvcnkgYW5kIHJlYWQNCmFyYml0cmFyeSBhdHRhY2htZW50cy4g
IFByaW9yIHRvIHJlbGVhc2UgMS4wLjMsIFczTWFpbCBkaWQgbm90DQpjb3Jy
ZWN0bHkgY2xlYW4gdXAgdGhlIE1JTUUgZGlyZWN0b3J5LCBsZWF2aW5nIHRo
ZSBhdHRhY2htZW50cyB0aGVyZQ0KZXZlbiBhZnRlciB0aGUgdXNlciB3aG9t
IHRoZXkgYmVsb25nZWQgdG8gaGFzIGxvZ2dlZCBvdXQuIEluIHJlbGVhc2Vz
DQoxLjAuMyBhbmQgb253YXJkcywgcHJvdmlkaW5nIHRoZSB1c2VyIGNvcnJl
Y3RseSBsb2dzIG91dCB0aGVpcg0KYXR0YWNobWVudHMgd2lsbCBiZSByZW1v
dmVkLiBOb3RlIHRoYXQgdGhlIGF0dGFjaG1lbnRzIHdpbGwgcmVtYWluIGFz
DQp3aXRoIDEuMC4zIGFuZCBwcmV2aW91cyByZWxlYXNlcyBpZiB0aGUgdXNl
ciBzaW1wbHkgY2xvc2VzIHRoZSB3aW5kb3cNCnJhdGhlciB0aGFuIHVzaW5n
IHRoZSBjb3JyZWN0IGxvZ291dCBsaW5rLg0KDQoyKSBCeSBzZW5kaW5nIGEg
TUlNRSBhdHRhY2htZW50IGV4ZWN1dGFibGUgYnkgdGhlIHdlYiBzZXJ2ZXIg
ZnJvbSB0aGUNCk1JTUUgYXR0YWNobWVudHMgZGlyZWN0b3J5IHRvIGFuIFBP
UDMgYWNjb3VudCBhY2Nlc3NlZCBmcm9tIHRoZSBXM01haWwNCndlYiBiYXNl
ZCBQT1AzIGNsaWVudCByZW1vdGUgYWNjZXNzIGFzIHRoZSB3ZWJzZXJ2ZXIg
dXNlciBjYW4gaW4NCnRoZW9yeSBiZSBhY2hpZXZlZCwgaWYgdGhlIHVzZXIg
dG8gd2hvbSB0aGUgbWFpbCBpcyBzZW50IG9wZW5zIHRoZQ0KbWFsaWNpb3Vz
IGVtYWlsIChhbmQgdGh1cyBjcmVhdGVzIHRoZSBhdHRhY2htZW50cyB3aXRo
aW4gdGhlIE1JTUUNCmF0dGFjaG1lbnRzIGRpcmVjdG9yeSBmb3IgdGhlIGxp
ZmV0aW1lIGV4cGxhaW5lZCBpbiBwYXJ0IDEpLiAgV2hpbHN0DQp0aGUgYXR0
YWNobWVudCBleGlzdHMsIHRoZSBwb3RlbnRpYWwgaW50cnVkZXIgY2FuIHJl
cXVlc3QgaXQgdmlhIHRoZWlyDQpicm93c2VyIGFuZCB0aGVyZWZvcmUgaGF2
ZSBpdCBleGVjdGVkIGJ5IHRoZSB3ZWIgc2VydmVyLiAgVGhlDQphdHRhY2ht
ZW50IG11c3QgYmUgc2VudCBhcyBhIG5vbmUgdGV4dCBNSU1FIHR5cGUgaW4g
b3JkZXIgZm9yIHRoZQ0KbWFsaWNpb3VzIGNvZGUgdG8gY29ycmVjdGx5IGJl
IGNyZWF0ZWQuIFRoaXMgcGFydCBvZiB0aGUgdnVsbmVyYWJpbGl0eQ0Kd2ls
bCB3b3JrIGV2ZW4gd2hlbiBkaXJlY3RvcnkgaW5kZXhpbmcgaXMgdHVybmVk
IG9mZiBmb3IgdGhlIE1JTUUNCmF0dGFjaG1lbnRzIGRpcmVjdG9yeSBzaW5j
ZSBhdHRhY2htZW50cyBhcmUgY3JlYXRlZCB3aXRoIHRoZWlyDQpvcmlnaW5h
bCBuYW1lLg0KDQpUaGlzIHZ1bG5lcmFiaWxpdHkgY2FuIGFsc28gYmUgZXhw
bG9pdGVkIG9uIGF0dGFjaG1lbnRzIGJlaW5nIHNlbnQNCmZyb20gVzNNYWls
LCBhbHRob3VnaCBpbiB0aGlzIGNhc2UgdGhlIGFmZmVjdCBpcyByZWR1Y2Vk
IGluIHJlbGVhc2VzDQpmcm9tIDEuMC4zIG9ud2FyZHMgd2hpY2ggY2xlYW4g
dGhlIGF0dGFjaG1lbnRzIGRpcmVjdG9yeSBhZnRlciB0aGUNCm1haWwgaGFz
IGJlZW4gc2VudCBtaW5pbWl6aW5nIHRoZSBwb3RlbnRpYWwgdGltZSBmb3Ig
YW55IGF0dGFjay4NCg0KT24gMS4wLjY6DQozKSBJbiByZXBsYWNpbmcgdGhl
IGNvZGUgdG8gZml4IHRoZSBwcm9ibGVtcyBkZXNjcmliZWQgcHJldmlvdXNs
eSwgDQpDYXNjYWRlU29mdCBtb3ZlZCB0aGUgTUlNRSBhdHRhY2htZW50cyBk
aXJlY3Rvcnkgb3V0IG9mIHRoZSBkb2N1bWVudCByb290IGFzIA0Kd2UgaW5p
dGlhbGx5IHJlY29tbWVuZGVkLiAgSG93ZXZlciwgdGhlIGNvZGUgdGhleSBp
bnRyb2R1Y2VkIHRvIGFsbG93IGFjY2VzcyANCnRvIHRoZSBhdHRhY2htZW50
cyBmcm9tIHRoZSB0aGUgd2ViIHBhZ2UgKHZpZXdBdHRhY2htZW50LmNnaSkg
Y2FuIGJlIG1hZGUgdG8NCnJlYWQgYW55IGFyYml0cmFyeSBmaWxlIHRoYXQg
dGhlIHdlYiBzZXJ2ZXIgdXNlciBoYXMgcmVhZCBhY2Nlc3MgdG8sIGFzIGl0
IA0KbWFrZXMgbm8gc2FuaXR5IGNoZWNrcyBvbiB0aGUgdmFsdWUgcGFzc2Vk
IHdpdGhpbiB0aGUgZmlsZSBlbGVtZW50IG9mIHRoZSBVUkwsIA0KYWxsb3dp
bmcgZm9yIGZpbGU9Li4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZCBldGMuICBO
b3RlIHRoYXQgZm9yIHRoaXMgdG8gd29yayANCmFzIGRlc2NyaWJlZCB0aGUg
YXR0YWNrZXIgd2lsbCBuZWVkIGEgdmFsaWQgc2Vzc2lvbiBJRC4NCg0KU29s
dXRpb25zDQoNCkluIG9yZGVyIHRvIGNvbXBsZXRlbHkgcHJvdGVjdCBhZ2Fp
bnN0IHRoZSB2dWxuZXJhYmlsaXR5IChpbiB0aGUgDQpzaG9ydCB0ZXJtKSwg
TnRoIERpbWVuc2lvbiByZWNvbW1lbmQgdHVybmluZyBvZmYgaW5kZXhpbmcg
YW5kIGFueSBzZXJ2ZXINCnNpZGUgZmlsZSBleGVjdXRpb24gZm9yIHRoZSBN
SU1FIGF0dGFjaG1lbnRzIGRpcmVjdG9yeSwgaG93ZXZlciBpdCBpcw0Kb3Vy
IGJlbGllZiB0aGF0IGl0IHdvdWxkIGJlIGJldHRlciB0byByZXdyaXRlIHRo
ZSBhZmZlY3RlZCBjb2RlIHdpdGggYQ0KdmlldyB0byBzdG9yaW5nIGF0dGFj
aG1lbnRzIChlaXRoZXIgdGhvc2UgYmVpbmcgc2VudCBvciByZWNlaXZlZCkN
Cm91dHNpZGUgdGhlIHdlYiBzZXJ2ZXJzIGRvY3VtZW50IHJvb3QuICBSZWxl
YXNlIDEuMC42IGZpeGVzIGlzc3VlcyAxICYgMiBhcyANCndlIHN1Z2dlc3Rl
ZCBidXQgaW50cm9kdWNlcyBhIG5ldyBob2xlIHdoaWNoIGFsbG93cyByZXRy
aWV2YWwgb2YgYXJiaXRyYXJ5IA0KZmlsZXMgdXNpbmcgdGhlIG5ldyByZWFk
QXR0YWNobWVudC5jZ2kgc2NyaXB0LiAgSXQgbWF5IGJlIG1pdGlnYXRlZCBi
eSB0aGUNCmZvbGxvd2luZyAodW50ZXN0ZWQpIHBhdGNoOg0KDQo4YTkNCj4g
dXNlIEZpbGU6OkJhc2VuYW1lOw0KMThjMTkNCjwgJGZpbGUgPSAkZm9ybS0+
cGFyYW0oJ2ZpbGUnKTsNCi0gLS0tDQo+ICRmaWxlID0gYmFzZW5hbWUoJGZv
cm0tPnBhcmFtKCdmaWxlJykpOw0KLS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJF
LS0tLS0NClZlcnNpb246IEdudVBHIHYxLjAuNyAoU3VuT1MpDQoNCmlEOERC
UUU5MFhmclZBbE81ZXh1OXg4UkFnbHJBS0RVUXdVWVh0M3paU3Z1c0ZMSHlH
OWFNdmpWbkFDZ3V4R1UNClF2VVVvV2tJYmdPaTlEY1crQ1VZUC9FPQ0KPW1n
L0cNCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQ0K
---559023410-758783491-1037140721=:23032--
