Home page logo

bugtraq logo Bugtraq mailing list archives

AeroMail multiple vulnerabilities
From: Ulf Harnhammar <ulfh () update uu se>
Date: Sun, 3 Mar 2002 21:26:05 +0100 (CET)

AeroMail multiple vulnerabilities

VENDOR: Mark Cushman (mark () cushman net)
HOMEPAGE: http://the.cushman.net/projects/aeromail/
MIRROR: http://www.packetplay.com/projects/aeromail/
VULNERABLE VERSIONS: all versions below 1.45
SEVERITY: medium to high


"AeroMail is a Web-based email client written in PHP. It uses an IMAP server
to read and store messages in one or more user-defined folders, and its
features include HTTP authentication for login (no cookies), folder
manipulation, support for sending and viewing attachments, inline image
display, multilanguage support, and URL highlighting."
(direct quote from the program's project page on Freshmeat)

AeroMail is released under the terms of the GNU General Public License.
It seems to have quite a few users.


1) When sending e-mails, you can trick the attachment subsystem into sending
local files from the web server or remote files from URL's instead of uploaded
files as it should.

How is that possible? Well, after PHP has uploaded a file, it sets a few
variables with information about it. One of them is the filename under which
the uploaded file has been temporarily stored. It is important to check that
this variable was set by uploading a file. It might also be normal POSTed
data, in which case you end up with this problem.

2) You can add additional headers to outgoing e-mail messages by sending some
normal data for the To or Cc or Subject fields, a CRLF and then another header
with some data. (A lot of other programs allow this too. It's not just
AeroMail.) This can be used for adding uuencoded attachments up in the headers
with lines ending in CR instead of CRLF, as previously discussed here on

3) JavaScript and HTML code is active, when Subject headers are displayed.
This allows DOS attacks by redirecting, theft of cookies etc.

Issues 1 and 2 require a valid user/password combination to be exploited,
while issue 3 is open to anyone.

The vendor was contacted with an explanation, two exploits and a patch on the
23rd of February. Version 1.45, which is not vulnerable to any of these
issues, was released on the 27th of February.


I recommend that all users upgrade to version 1.45 immediately.


Here are HTML exploits for issues 1 and 2. They are distributed as a
uuencoded, gzipped tar archive.

Issue 3 doesn't need a special exploit - you just send an ordinary mail:

mail -s '<script>self.location.href="http://www.kuro5hin.org/";</script>' \
metaur () prontomail com < /dev/null

// Ulf Harnhammar
metaur () prontomail com

begin 644 aeromail_exploits.tar.gz
M'XL("!9R () CP``V%E<F]M86EL7V5X<&QO:71S+G1A<@#M5FUOVS80]F?]BJL&
M[P?N4*2:I;H^?LB8"T%)#5S-/NM"WZ\01%0JI () =<B?KA8>>7>M,H)J5*IS\1
MX0-,9H&(A1RX/TP+N&`$(%FFH () LQ3W]?(NDJ[=ROTL:CYE8_<!EU3H5,`%V)
M1#APKZ_>CU%B8.(W6`[</<>UI!&(Y/'Q$<72\"YA2M$9:V11AJH^2*[1:9 () \
M?'>-?F:,Y&F6:]`85[2*AR%+74AI () I1D I=(W=,X1_+L\OCJHPN*_XF$<=X9
M+<#$ZLT.F;3 () 7Y*[<(HP'9",*C4/5W7=F:/PFIN`:Z9^AD]8*@"3CDE0PEPJ
M3V>@C3U<P83/<$_DLV () _2PKI6\QI>?[AFAV&K7)<1VS%^3F/8Y () P"&@<LQ#0
M]`'$M-A9U$SU () J/$6LDV$\2V () KW59>=C_;2PL][LP2F3#%!2T:V?=EH]0`V2
M () F&JW%(;Y?]Q2%DSQ\PFV\S!\A"]S;.0:M;(\X9:4MA>,H7"E,TA$7)IW^\]

  By Date           By Thread  

Current thread:
  • AeroMail multiple vulnerabilities Ulf Harnhammar (Mar 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]