exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

S-Mail.com PHP / Apache Issues

S-Mail.com PHP / Apache Issues
Posted Oct 7, 2013
Authored by Juan Carlos Garcia

Secure Mail at s-mail.com actually suffers from dozens of vulnerabilities due to using out of date PHP and Apache versions.

tags | advisory, php, vulnerability
SHA-256 | bcf4a8a35493dc589f526c3acdfdd2b8596c418c332e7d75666242af1c71a388

S-Mail.com PHP / Apache Issues

Change Mirror Download
============================================================================================================================================
S-MAIL HTML Entity Encoder Heap Overflow / PHP Zend_Hash_Del_Key_Or_Index /Unfiletred Header Injection in Apache / PHP Unspecified Remote Arbitrary File Upload
============================================================================================================================================

Multiples Advisories

But Vendor Not Response

Then

Full Disclosure


I. VULNERABILITY
-------------------------
#Title: S-MAIL Cross-site request forgery / HTML entity encoder heap overflow / PHP socket_iovec_alloc() integer overflow / PHP Zend_Hash_Del_Key_Or_Index /Unfiletred Header Injection in Apache / PHP Unspecified Remote
Arbitrary File Upload

#Vendor:http://WWW.s-mail.com/

#Author:Juan Carlos García (@secnight)

#Follow me
Twitter:@secnight

II. DESCRIPTION
-------------------------

S-Mail® is an innovative email system that provides high-level protection for emails on the Internet.

S-Mail users have safe and secure email correspondence. Only the sender and recipient of S-Mail can access emails sent through this service.

S-Mail provides the ultimate protection with strong encryption for personal and business communications.

S-Mail combines simplicity and security to create a tailored solution for protecting email.

Messages and attached files are encrypted and decrypted through PGP, SSL and DSA algorithms on the user's PC.

As a result, communications sent using S-Mail are delivered fully protected.

S-Mail is compatible with all other email systems and programs.


III. PROOF OF CONCEPT
-------------------------

PHP version older than 4.4.1
*****************************

Multiple vulnerabilities have been reported in PHP, which can be exploited by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, and potentially compromise a vulnerable system.

Affected PHP versions (up to 4.4.0).

The impact of this vulnerability
___________________________________

Security bypass, cross site scripting, denial of service, system access.


Apache version older than 1.3.28 ( Current version is : Apache/1.3.27)
**********************************************************************


The impact of this vulnerability
_________________________________

Multiple. Check references for details about every vulnerability.



Apache version older than 1.3.41
*********************************

Security fixes in Apache version 1.3.41:
_________________________________________

CVE-2007-6388 (cve.mitre.org) mod_status: Ensure refresh parameter is numeric to prevent a possible XSS attack caused by redirecting to other URLs. Reported by SecurityReason. [Mark Cox]

Security fixes in Apache version 1.3.40:
___________________________________________

CVE-2007-5000 (cve.mitre.org) mod_imap: Fix cross-site scripting issue. Reported by JPCERT. [Joe Orton]

CVE-2007-3847 (cve.mitre.org) mod_proxy: Prevent reading past the end of a buffer when parsing date-related headers. PR 41144. With Apache 1.3, the denial of service vulnerability applies only to the Windows and NetWare platforms. [Jeff

Trawick]


PHP HTML entity encoder heap overflow
**************************************

Stefan Esser reported some vulnerabilities in PHP, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.The vulnerabilities are caused due to boundary errors within

the "htmlentities()" and "htmlspecialchars()" functions. If a PHP application uses these functions to process user-supplied input, this can be exploited to cause a heap-based buffer overflow by passing specially crafted data to the

affected application. Successful exploitation may allow execution of arbitrary code, but requires that the UTF-8 character set is selected. For a detailed explanation of the vulnerability read the referenced article.
Vendor has released PHP 5.2.0 which fixes this issue.

Affected PHP versions (up to 4.4.4/5.1.6).

The impact of this vulnerability
_________________________________

Denial of service, remote code execution.


PHP unspecified remote arbitrary file upload vulnerability
**********************************************************

An unspecified remote arbitrary file upload vulnerability has been reported for this version of PHP.

Affected PHP versions (up to 4.3.8/5.0.1).


PHP Zend_Hash_Del_Key_Or_Index vulnerability
**********************************************

Stefan Esser had discovered a weakness within the depths of the implementation of hashtables in the Zend Engine.
This vulnerability affects a large number of PHP applications. It creates large new holes in many popular PHP applications.
Additonally many old holes that were disclosed in the past were only fixed by using the unset() statement.
Many of these holes are still open if the already existing exploits are changed by adding the correct numerical keys to survive the unset().
For a detailed explanation of the vulnerability read the referenced article.

http://www.hardened-php.net/hphp/zend_hash_del_key_or_index_vulnerability.html

Affected PHP versions (up to 4.4.2/5.1.3).

The impact of this vulnerability
___________________________________

Code execution, SQL injection, ...


Unfiltered header injection in Apache 1.3.34/2.0.57/2.2.1
***********************************************************

Vulnerability description
*************************
This version of Apache is vulnerable to HTML injection (including malicious Javascript code) through "Expect" header. Until now it was not classified as a security vulnerability, since an attacker has no way to influence the Expect

header to send the victim to a target website. However, according to Amit Klein's paper: "Forging HTTP request headers with Flash" there is a working cross site scripting (XSS) attack against Apache 1.3.34, 2.0.57 and 2.2.1 (as long as

the client browser is IE or Firefox, and it supports Flash 6/7+).

The impact of this vulnerability
________________________________
Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to

modify the content of the page presented to the user.

How to fix this vulnerability
_______________________________
Upgrade to the latest Apache versions. This flaw has been corrected in Apache versions (1.3.35/2.0.58/2.2.2)


Apache error log escape sequence injection vulnerability
********************************************************

This version of Apache is vulnerable to escape character sequences injection into error log.This problem may be exploited when a vulnerable terminal emulator is used.

Affected Apache versions (up to 2.0.48 for Apache 2.x and up to 1.3.29 for Apache 1.x).


PHP mail function ASCII control character header spoofing vulnerability
***********************************************************************

The PHP mail function does not properly sanitize user input. Because of this, a user may pass ASCII control characters to the mail() function that could alter the headers of email. This could result in spoofed mail headers.

Affected PHP versions (up to 4.2.2).


PHP socket_iovec_alloc() integer overflow
******************************************

Buffer overflow in openlog function for PHP 4.3.1 on Windows operating system, and possibly other OSes.

Affected PHP versions (up to 4.3.1).


The impact of this vulnerability
___________________________________

Allow remote attackers to cause a crash and possibly execute arbitrary code via a long filename argument.

How to fix this vulnerability
________________________________
Upgrade PHP to the latest version.

Web references
________________
CVE 2003-0172


PHP4 multiple vulnerabilities
*****************************

PHP have released an upgrade to address multiple vulnerabilities, including integer overflow issues that have been reported to affect PHP4 and bundled software.


IV. BUSINESS IMPACT
-------------------------

CRITICAL

V SOLUTION
------------------------

UPDATE PHP AND APACHE SOFTWARE P L E A S E !!!


VI. CREDITS
-------------------------

This vulnerability has been discovered
by Juan Carlos García(@secnight)


VII. LEGAL NOTICES
-------------------------

The Author accepts no responsibility for any damage
caused by the use or misuse of this information.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close