Instant Web Mail additional POP3 commands and mail headers

[Ulf Harnhammar <ulfh () update uu se>]

Instant Web Mail additional POP3 commands and mail headers

PROGRAM: Instant Web Mail
VENDOR: Jonas Koch Bentzen (jonas () understroem dk)
HOMEPAGE: http://understroem.dk/instantwebmail/
VULNERABLE VERSIONS: 0.59 (possibly earlier versions too)
TYPE: remote/local
SEVERITY: medium


DESCRIPTION:

"Instant Web Mail is a Web-based POP mail client written in PHP. It is
incredibly simple to install, but it is nevertheless an advanced program."
(direct quote from the program's project page at Freshmeat)

It has got features like reading/sending attachments, viewing both text/plain
and text/html messages, decoding national characters in mail headers, you can
choose between several languages and themes, it is customizable etc.
The program is published under the terms of the GNU General Public License.


ISSUES:

1) The function command(), which sends a POP3 command to a POP3 server, allows
embedded CR and LF characters. Nowhere in the program does those characters
get stripped in user input before it is sent to that function. This means that
we can include additional POP3 commands in user requests.

The program also converts URL's in e-mail messages to links. This makes it
easy for an evil person to send a link to a user, and for that user to visit
it. He or she may then be redirected from the evil server back to a page at
his or her Instant Web Mail installation. If the evil server passes an
additional POP3 command for deleting a mail in the URL that it redirects to,
Instant Web Mail will then show the user one mail while deleting another one!

One example of such a URL to redirect to would be:
http://www.userhost.se/instantwebmail/message.php?id=1%0D%0ADELE+2&;

2) The mail sending script write.php allows embedded CR and LF characters in
the user input that makes up mail headers like From, To, Cc, Bcc, Subject and
X-Priority. This can be used for adding uuencoded attachments up in the
headers with lines ending in CR instead of CRLF, as previously discussed here
on Bugtraq.

This issue can be exploited by simply saving Instant Web Mail's HTML page for
writing mails, and changing some text fields to textareas.


COMMUNICATION WITH VENDOR:

The vendor was contacted on the 14th of March. We discussed these issues for a
few days. Version 0.60, which is not vulnerable to any of these issues, was
released on the 17th of March.


RECOMMENDATION:

I recommend that all users upgrade to version 0.60 immediately.


// Ulf Harnhammar
metaur () prontomail com