SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   Instant Web Mail Vendors:   Bentzen, Jonas Koch et al
Instant Web Mail PHP-based Mail Client May Let Remote Users Cause Arbitrary POP Commands to Be Executed on Another User's Mail System
SecurityTracker Alert ID:  1003894
SecurityTracker URL:  http://securitytracker.com/id/1003894
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 26 2002
Impact:   Execution of arbitrary code via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 0.59
Description:   A vulnerability was reported in the Instant Web Mail PHP-based POP3 mail client. A remote user may be able to cause another user to load a link that will execute arbitrary POP commands on behalf of the user.

It is reported that the command() function, which is used to send a POP3 command to a POP3 server, allows user-supplied embedded CR and LF characters. This allows the user to include additional POP3 commands in a user request.

It is also reported that the software converts URLs listed in e-mail messages into HTML links. This may be used by a malicious user to send a malicious link that will redirect the target (victim) user from the malicious server to a page at the target user's Instant Web Mail site. The malicious server can reportedly pass additional POP3 commands to, for example, delete mail.

A demonstration exploit URL is provided:

http://[targethost]/instantwebmail/message.php?id=1%0D%0ADELE+2&

Impact:   A remote user could send a malicous link to a target (victim) user that, when loaded by the target user, could cause arbitrary POP3 commands to be sent to the victim's mail system.
Solution:   The vendor has issued a fixed version (0.60), available at:

http://understroem.dk/instantwebmail/instantwebmail.tar.bz2
http://understroem.dk/instantwebmail/instantwebmail.zip

Vendor URL:  understroem.dk/instantwebmail/ (Links to External Site)
Cause:   State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Underlying OS Comments:  PHP-based

Message History:   None.


 Source Message Contents

Subject:  Instant Web Mail additional POP3 commands and mail headers


Instant Web Mail additional POP3 commands and mail headers

PROGRAM: Instant Web Mail
VENDOR: Jonas Koch Bentzen (jonas@understroem.dk)
HOMEPAGE: http://understroem.dk/instantwebmail/
VULNERABLE VERSIONS: 0.59 (possibly earlier versions too)
TYPE: remote/local
SEVERITY: medium


DESCRIPTION:

"Instant Web Mail is a Web-based POP mail client written in PHP. It is
incredibly simple to install, but it is nevertheless an advanced program."
(direct quote from the program's project page at Freshmeat)

It has got features like reading/sending attachments, viewing both text/plain
and text/html messages, decoding national characters in mail headers, you can
choose between several languages and themes, it is customizable etc.
The program is published under the terms of the GNU General Public License.


ISSUES:

1) The function command(), which sends a POP3 command to a POP3 server, allows
embedded CR and LF characters. Nowhere in the program does those characters
get stripped in user input before it is sent to that function. This means that
we can include additional POP3 commands in user requests.

The program also converts URL's in e-mail messages to links. This makes it
easy for an evil person to send a link to a user, and for that user to visit
it. He or she may then be redirected from the evil server back to a page at
his or her Instant Web Mail installation. If the evil server passes an
additional POP3 command for deleting a mail in the URL that it redirects to,
Instant Web Mail will then show the user one mail while deleting another one!

One example of such a URL to redirect to would be:
http://www.userhost.se/instantwebmail/message.php?id=1%0D%0ADELE+2&

2) The mail sending script write.php allows embedded CR and LF characters in
the user input that makes up mail headers like From, To, Cc, Bcc, Subject and
X-Priority. This can be used for adding uuencoded attachments up in the
headers with lines ending in CR instead of CRLF, as previously discussed here
on Bugtraq.

This issue can be exploited by simply saving Instant Web Mail's HTML page for
writing mails, and changing some text fields to textareas.


COMMUNICATION WITH VENDOR:

The vendor was contacted on the 14th of March. We discussed these issues for a
few days. Version 0.60, which is not vulnerable to any of these issues, was
released on the 17th of March.


RECOMMENDATION:

I recommend that all users upgrade to version 0.60 immediately.


// Ulf Harnhammar
metaur@prontomail.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC