Re: UEBIMIAU <= 2.7.2 MULTIPLES VULNERABILITIES

[pokley <pokleyzz () scan-associates net>]

I have discover this bug indipendently on March 2004. Since Uebimiua team  
have a comment to change default temporary directory for security reason  
in their config file this seem not critical to me and decided not to  
inform the developer.

In this case this bug may lead to remote command execution by uploading  
php script as attachment since uebimiau will preserve original file  
extension for uploaded attachment. We may know the actual uploaded file by  
decoding session file (*.usf).

-- decode_session.php---
<?
$fp = fopen($argv[1],"r");
$result = fread($fp,filesize($argv[1]));
fclose($fp);
$result = unserialize(~$result);
var_dump($result);
?>
------------------------



On Thu, 27 Jan 2005 12:10:50 -0300 (ART), Nash Leon  
<nashleon () yahoo com br> wrote:

> ADVISORE 01  15/01/2005
>
> INTRUDERS TIGER TEAM SECURITY - SECURITY ADVISORE
>
>        http://www.intruders.com.br/
>        http://www.intruders.org.br/
>
>
> ADVISORE/0105 - UEBIMIAU < 2.7.2 MULTIPLES
> VULNERABILITIES
>
> PRIORITY: HIGH
>
>
> I - INTRODUCTION:
> ----------------
>
> From http://www.uebimiau.org/
>
> "UebiMiau is a simple, yet efficient cross-plataform
> POP3/IMAP mail
> reader written in PHP. It's have some many features,
> such as: Folders,
> View and Send Attachments, Preferences, Search, Quota
> Limit, etc.
> UebiMiau DOES NOT require database or extra PHP
> modules (--with-imap)"
>
>
> II - DESCRIPTION:
> ------------------
>
> Intruders Tiger Team Security has identified multiples
> vulnerabilities in Uebimiau WebMail Server in default
> installation that can be exploited by malicious users
> to hijacking session files and others informations
> in target system.
> Intruders Tiger Team Security has discovered that many
> systems are vulnerables.
>
>
> III - ANALYSIS
> ---------------
>
> Uebimiau in default installation create one
> temporary folder to store "sessions" and other
> files. This folder is defined in "inc/config.php"
> as "./database/".
>
> If the web administrator don't change this
> folder, one attacker can exploit this using
> the follow request:
>
> http://server-target/database/_sessions/
>
> If the Web server permit "directory listing",
> the attacker can read session files.
>
> Other problem live in the way that the files
> of users are stored. In default installation
> the files of the users are stored using
> the follow model:
>
> $temporary_directory/<user>_<domain>/
>
> A attacker can access files of users requesting:
>
> http://server-target/database/user_domain/
>
> Where user is the target user and domain is
> the target domain.
>
> Intruders Tiger Team Security has found many
> servers vulnerable to these attacks.
>
>
> IV. DETECTION
> -------------
>
> Intruders Tiger Team Security has confirmed the
> existence
> of this vulnerability in Uebimiau version 2.7.2.
> Other versions possibly vulnerable too.
>
>
> V. WORKAROUND
> --------------
>
> 1 STEP - Insert index.php in each directory of the
> Uebimiau.
>
> 2 STEP - Set variable $temporary_directory to a
> directory
> not public and with restricted access, set permission
> as read
> only to "web server user" for each files in
> $temporary_directory.
>
> 3 STEP - Set open_basedir in httpd.conf to yours
> clients follow
> the model below:
>
> <Directory /server-target/public_html>
> php_admin_value open_basedir
> /server-target/public_html
> </Directory>
>
>
> VI - VENDOR RESPONSE
> --------------------
>
> 15/01/2005 - Flaw discovered.
> 18/01/2005 - Contacted Uebimiau Team.
> 20/01/2005 - Vendor response.
> 26/01/2005 - Advisore published.
>
>
> VII - CREDITS
> -------------
>
> Glaudson Ocampos(Nash Leon) and Intruders Tiger Team
> Security has discovery this vulnerability.
> Thanks to Wendel Guglielmetti Henrique (dum_dum) and
> Waldemar Nehgme from securityopensource.org.br.
> Visit Intruders Tiger Team Security  Web Site  for
> more advisores:
> http://www.intruders.com.br/
> http://www.intruders.org.br/
>
>
>         
>         
>                 
> _______________________________________________________
> Yahoo! Acesso Grátis - Instale o discador do Yahoo! agora.  
> http://br.acesso.yahoo.com/ - Internet rápida e grátis



--
Using Opera's revolutionary e-mail client: http://www.opera.com/m2/