Home page logo
/

bugtraq logo Bugtraq mailing list archives

SCAN Associates Advisory : Multiple vurnerabilities on mailreader.com
From: pokleyzz <pokleyzz () scan-associates net>
Date: Mon, 28 Oct 2002 17:48:04 +0800

Products: Mailreader.com v 2.3.31 and below (http://www.mailreader.com)
Date: 28 October 2002
Author:  pokleyzz <pokleyzz () scan-associates net>
Contributors: sk () scan-associates net shaharil () scan-associates net

Description
===========
Mailreader.com (http://www.mailreader.com) is web base pop3 email reader written in perl.

Details
=======
There is multiple vurnerabilities in this package as describe below.

1) Read any text file

By default mailreader install with language support.  There is no proper
error checking in configLanguage input.Using nullbyte poisoning we can easily overwrite that value with any file we want and cause mailreader to display the file content.
ex:

http://192.168.0.1/cgi-bin/mail/nph-mr.cgi?do=loginhelp&configLanguage=../..
/../../../../../etc/passwd%00

Affected version :  <=  Mailreader.com v2.3.31


2) Remote command execution

Mailreader allow user to specify their own mail server so any user can
login and use the mailreader . User also can overwrite SMTPServers configuration using configSMTPServers input. For version 2.3.30 and above there is an option to use sendmail as mail transfer agent. There is poor error checking for $CONFIG{RealEmail} in compose.cgi which will use as $from in
network.cgi.

from network.cgi line 372:

        if ($server =~ /[.]*sendmail/) {
                # close the file 'cause it isn't needed
                close FILE;

                # send the file
                my $res = `$server -U -f$from -t -i < $filename`;

                # and escape
                return 1;
        }

This will allow user to include value that will escape to shell and run arbitrary command as web user.

Affected version : Mailreader.com v2.3.30 and Mailreader.com v2.3.31

Vendor Response =============== Vendor has been contacted on 23/10/2002 and new version of Mailreader.com is available.












  By Date           By Thread  

Current thread:
  • SCAN Associates Advisory : Multiple vurnerabilities on mailreader.com pokleyzz (Oct 29)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]