Cyclonic Webmail 4 multiple vulnerabilities

2003-12-15T00:00:00
ID SECURITYVULNS:DOC:5526
Type securityvulns
Reporter Securityvulns
Modified 2003-12-15T00:00:00

Description

Software: Cyclonic Webmail Version : 4 vendor : Stallion Networking

  1. Software description

Cyclonic is a webbased interface allowing users to handle emails stored on a POP Server. This software is Freeware

  1. Vulnerability description

- bypassing the login script
- reading other users data and/or emails
- session hijacking
- spoofing emails
- possibility to put files in the webroot
  1. Problems with user authentification

File: cyclonic.pl

A user is asked to enter a username, a password and the address of the popserver. Since the server is specified by the client, ANY POP can be given. The script passes the username and password to a POP server and uses the server-responses to validate a user. Once validated it requests that users mailboxstatus on the POP server with the STAT command.

This procedure allone has a few problems. First of all, ANYONE with a POP account can use your Webserver and bandwidth to read his emails, no matter it's your mailserver or that of some other provider. Secondly, for some exploits described further down, one will need to login. This can easilly be accomplished by validating yourself with one of your own emailaccounts with another provider or a little script that fakes POP responses.

  1. Session Hijacking

Once you are logged in, the only authentification method the scripts will use is a SessionID, that is passed from one script to another tru the URL. So if you know a sessionID from other sessions you could easilly hijack that session. Sessiondata is stored in a file that has the sessionID as name, by default this is in a subfolder named /sids/. So if the webserver has directorylistin enabled, one can easilly obtain other session ID's by surfing to the /sids/ subfolder and then use this ID to 'hijack' another session.

cyclonic.pl?SESSIONID=*****&CURRENTFOLDER=Inbox

(replace *'s with the sessionID)

  1. Problems with default storage directories

By default the userdata is stored in a subfolder called /users/. If a users reads an email with the webinterface, the email, and any attachment, is stored in /users/USERNAME/DECODE/ , making it accessoble to anyone. emails are stored within this folder without any form of encryption. Also stored in the users folder, in cleartext, is the users addressbook.

Since attachments, are stored, unencrypted, within the webroot, theoraticaly one is able to set up scripts and run them on the server.

  1. Spoofing emails

As described in point 3, bypassing the login is easy, either by using a 3d party POP server, or by session hijacking. When this is done the user can go to the options screen to set his name and emailaddress. these values are used when sending email. Cyclonic reads email from a POP account, but for sending emails it uses an internel mailserver. By specifying a username and emailadres (not validated in ANY way) a user can completely hide himself. Sending an email as 'admin@hostingserver.net' would look perfectly legitimate.

Best regards

Somers Raf