SCAN Associates Advisory : Multiple vurnerabilities on mailreader.com

[pokleyzz <pokleyzz () scan-associates net>]

Products: Mailreader.com v 2.3.31 and below (http://www.mailreader.com)
Date: 28 October 2002
Author:  pokleyzz <pokleyzz () scan-associates net>
Contributors: sk () scan-associates net shaharil () scan-associates net

Description
===========
Mailreader.com (http://www.mailreader.com) is  web base pop3 email 
reader written in perl.

Details
=======
There is multiple vurnerabilities in this package as describe below.

1) Read any text file

By default mailreader install with language support.  There is no proper
error checking in configLanguage input.Using nullbyte poisoning  we can 
easily overwrite that value with any file we want and cause mailreader to 
display the file content.
ex:

http://192.168.0.1/cgi-bin/mail/nph-mr.cgi?do=loginhelp&configLanguage=../..
/../../../../../etc/passwd%00

Affected version :  <=  Mailreader.com v2.3.31


2) Remote command execution

Mailreader allow user to specify their own mail server so any user can
login and use the mailreader . User also can overwrite SMTPServers 
configuration using configSMTPServers input.  For version 2.3.30 and above
there is an option to use sendmail as mail transfer agent.  There is poor 
error checking for $CONFIG{RealEmail} in compose.cgi which will use as $from in
network.cgi.

from network.cgi line 372:

        if ($server =~ /[.]*sendmail/) {
                # close the file 'cause it isn't needed
                close FILE;

                # send the file
                my $res = `$server -U -f$from -t -i < $filename`;

                # and escape
                return 1;
        }

This will allow user to include value that will escape to shell and run 
arbitrary command as web user.

Affected version : Mailreader.com v2.3.30 and Mailreader.com v2.3.31

Vendor Response 
=============== 
Vendor has been contacted on 23/10/2002 and new version of Mailreader.com  
is available.