Bugtraq mailing list archives
SCAN Associates Advisory : Multiple vurnerabilities on mailreader.com
From: pokleyzz <pokleyzz () scan-associates net>
Date: Mon, 28 Oct 2002 17:48:04 +0800
Products: Mailreader.com v 2.3.31 and below (http://www.mailreader.com) Date: 28 October 2002 Author: pokleyzz <pokleyzz () scan-associates net> Contributors: sk () scan-associates net shaharil () scan-associates net Description ===========Mailreader.com (http://www.mailreader.com) is web base pop3 email reader written in perl.
Details ======= There is multiple vurnerabilities in this package as describe below. 1) Read any text file By default mailreader install with language support. There is no propererror checking in configLanguage input.Using nullbyte poisoning we can easily overwrite that value with any file we want and cause mailreader to display the file content.
ex: http://192.168.0.1/cgi-bin/mail/nph-mr.cgi?do=loginhelp&configLanguage=../.. /../../../../../etc/passwd%00 Affected version : <= Mailreader.com v2.3.31 2) Remote command execution Mailreader allow user to specify their own mail server so any user canlogin and use the mailreader . User also can overwrite SMTPServers configuration using configSMTPServers input. For version 2.3.30 and above there is an option to use sendmail as mail transfer agent. There is poor error checking for $CONFIG{RealEmail} in compose.cgi which will use as $from in
network.cgi. from network.cgi line 372: if ($server =~ /[.]*sendmail/) { # close the file 'cause it isn't needed close FILE; # send the file my $res = `$server -U -f$from -t -i < $filename`; # and escape return 1; }This will allow user to include value that will escape to shell and run arbitrary command as web user.
Affected version : Mailreader.com v2.3.30 and Mailreader.com v2.3.31Vendor Response =============== Vendor has been contacted on 23/10/2002 and new version of Mailreader.com is available.
Current thread:
- SCAN Associates Advisory : Multiple vurnerabilities on mailreader.com pokleyzz (Oct 28)