Atmail Remote Authentication Bypass, Full DB Compromise

2008-08-01T00:00:00
ID SECURITYVULNS:DOC:20267
Type securityvulns
Reporter Securityvulns
Modified 2008-08-01T00:00:00

Description

@Mail PHP Version 5.41 patch Release http://atmail.com/demo/atmailphpdemo.tgz

The default install of Atmail 5.41 creates the following file in the atmail/ directory: build-plesk-upgrade.php

If that file is called via http, such as: http://example.com/atmail/build-plesk-upgrade.php it will execute on the local server as expected:

nobody 19495 11.3 0.0 22572 8908 ? S 17:25 0:00 /usr/bin/php /usr/local/apache/htdocs/atmail/build-plesk-upgrade.php

producing numerous warnings and errors:

building @Mail-Plesk Pro upgrade Warning: mkdir() [function.mkdir]: Permission denied in /usr/local/apache/htdocs/atmail/build-plesk-upgrade.php on line 32 making . dir... making /usr/local/atmail-plesk-upgrade/.

and when complete the following files will exist:

/usr/local/apache/htdocs/atmail: -rw-r--r-- 1 nobody nobody 101754880 Jul 30 17:26 files.tar -rw-r--r-- 1 nobody nobody 27162656 Jul 30 17:26 plesk-atmail-upgrade.tgz

Those files are the contents of the atmail/ directory. The plesk-atmail-upgrade.tgz only contains the files.tar file.

Either file could then be downloaded:

http://example.com/atmail/files.tar http://example.com/atmail/plesk-atmail-upgrade.tgz

or copied to another directory on the server for browsing through. The information contained in those files includes the Atmail Config.php file which stores the Atmail database username, password, and database server hostname in plain text:

$ egrep 'sql_(user|host|pass)' libs/Atmail/Config.php 'sql_host' => 'localhost', 'sql_pass' => '43s2H4N55X', 'sql_user' => 'atmail',

This information could then be used to access the Atmail database to obtain client credentials, such as email addresses, usernames, passwords, session IDs, and more.

Also in the files.tar file is the webadmin/.htpasswd file, which contains the administrator user's username and password hash.