|
|
|
|
| |
| Any user of usa.net-powered email service can read any file on the server accessible to the web daemon, and flood other users with large attachments without wasting bandwidth to upload them. |
| |
Credit:
The information has been provided by Philip Stoev.
|
| |
Vulnerable systems:
It is the opinion of Philip Stoev that any web mail system, powered by USA.NET, http://www.netaddress.com is vulnerable to attack.
The Compose Message form of netaddress.com has five hidden form fields named FileAttachment. When one attaches a message, one of this form fields is set to something like
FileName=at.txt&localFilename=/smtp-relay/storage/attachments/NACGIDAA02aIbq&
ContentType=text/plain&attachmentNumber=0
1. This field value contains an absolute server path, so setting it to
FileName=at.txt&localFilename=/etc/passwd&ContentType=text/plain
&attachmentNumber=0
Will send us /etc/passwd of netaddress.com's server.
2. One can have several FileName form fields set to the same value and netaddress.com will happily attach and mail the contents of the file several times (the FileName form fields in the form are five, however this number is not the limit). The server will try to delete the file after attaching it to the message, so the following two vulnerability scenarios are possible:
a) The web interface can read and delete the file -- the file is sent once (to the attacker), and then deleted from server. No good if this is a critical file.
b) The web interface can read, but can not delete the file -- the file is attached in full as many times as specified in the compose message form, since deleting it after attaching it fails and it is still available to be attached again in the same message (or, any future message). This option allows us to mail a big file from the server repeatedly to the victim without using much of our own bandwidth -- we do not even need to upload the file on our own.
|
|
|
|
|
|
|
|
|
|
