|
|
| |
| Mailreader.com is web base POP3 email reader written in perl. Two security vulnerabilities have been found in the product allowing remote attackers to view arbitrary files and to execute arbitrary commands. |
| |
Credit:
The information has been provided by pokleyzz of SCAN Associates.
|
| |
Vulnerable systems:
* Mailreader.com version 2.3.31 and prior
Immune systems:
* Mailreader.com version 2.3.33
There is multiple vulnerabilities in this package as describe below.
1) Read any text file
By default mailreader install with language support. There is no proper error checking in configLanguage input. Using NULL byte poisoning we can easily overwrite that value with any file we want and cause mailreader to display the file content.
Example:
http://192.168.0.1/cgi-bin/mail/nph-mr.cgi?do=loginhelp&configLanguage=../..
/../../../../../etc/passwd%00
2) Remote command execution
Mailreader allow user to specify their own mail server so any user can login and use the mailreader. User also can overwrite SMTP Servers configuration using configSMTPServers input. For version 2.3.30 and above there is an option to use sendmail as mail transfer agent. There is poor error checking for $CONFIG{RealEmail} in compose.cgi which will use as $from in network.cgi.
from network.cgi line 372:
if ($server =~ /[.]*sendmail/) {
# close the file 'cause it isn't needed
close FILE;
# send the file
my $res = `$server -U -f$from -t -i < $filename`;
# and escape
return 1;
}
This will allow user to include value that will escape to shell and run arbitrary command as web user.
Vendor Response:
Vendor has been contacted on 23/10/2002 and new version of Mailreader.com is available.
|
|
|
