The @Mail Open 1.04 webmail client contains multiple vulnerabilities including; unrestricted upload of file with dangerous type (CWE-434), relative path traversal (CWE-23), external control of file name or path (CWE-73), and information exposure (CWE-200).
The @Mail Open 1.04 webmail client contains multiple vulnerabilities including the following.
CWE-434: Unrestricted Upload of File with Dangerous Type
An attacker can upload files attached to email letters with dangerous types, such as, .php. This vulnerability can be exploited to upload a backdoor php shell.
CWE-23: Relative Path Traversal
The compose.php
script contains a directory traversal vulnerability. An example is below:
hxxps://localhost/compose.php?func=renameattach&unique=/..././..././..././..././..././..././..././..././..././..././..././..././tmp/positive.test%00&Attachment``[]=/../../../../../../../../../etc/passwd
CWE-73: External Control of File Name or Path
The compose.php and SendMsg.php scripts can be exploited with the directory traversal attack to copy any file on the system. An example is below:
hxxps://localhost/compose.php?func=renameattach&unique=1.txt%00&Attachment``[]=/../../../../../../../../../etc/passwd
As a result, the file will be available at:
hxxps://localhost/tmp/[email protected]/[email protected]
The mime.php script can be exploited with the directory traversal attack to read any file on the system. An example is below:
hxxps://localhost/mime.php?file=%0A/../../../../../../../../../etc/passwd&name=positive.html
CWE-200: Information Exposure
The info.php
script calls the phpinfo()
function that my display sensitive system configuration information.
Additional details may be found in Positive Technologiesβ PT-2011-48 advisory.
A remote attacker may be able to read and write to arbitrary files on the system. A backdoor shell may also be uploaded to an affected system.
Apply an Update
@Mail Open 1.05 has been released to address these vulnerabilities.
743555
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: February 06, 2012 Updated: March 20, 2012
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 6 | AV:N/AC:M/Au:S/C:P/I:P/A:P |
Temporal | 4.7 | E:POC/RL:OF/RC:C |
Environmental | 4.7 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND |
Thanks to Sergey Scherbel of Positive Technologies for reporting these vulnerabilities.
This document was written by Jared Allar.
CVE IDs: | None |
---|---|
Severity Metric: | 1.34 Date Public: |