-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Full details of this report are  available at:
http://www.madirish.net/?article=466

A recent code audit of the NuralStorm Webmail system revealed a number
of serious vulnerabilities.  If you are using NuralStorm please review
the following vulnerability report.  It is recommended that you restrict
access to any NuralStorm installations immediately and disable
NuralStorm if possible.  There is currently no patch or work around for
the vulnerabilities described below.

Description of Vulnerability:
- -----------------------------
NuralStorm Webmail is an Open Source web based e-mail client written in
PHP.  NuralStorm is distributed from http://www.nuralstorm.net/.

NuralStorm Webmail contains a cross site scripting (XSS) vulnerability
because it fails to sanitize output of HTML e-mail before display.  This
vulnerability is particularly dangerous because NuralStorm keeps login
credentials stored in cookie values.  This combination of vulnerability
and architecture means that attackers can steal login credentials via
JavaScript injection into mail sent to targeted users.

NuralStorm contains multiple stored XSS vulnerabilities in the
addressbook functionality because nickname and e-mail address values are
not sanitized before display.

NuralStorm contains an arbitrary file upload vulnerability because it
fails to sanitize the value of variables stored in client side cookies
(COOKIE_SESSSION) before using these variables to determine upload
locations.  This vulnerability could allow attackers who can compose
messages to upload arbitrary PHP to the NuralStorm server to directories
that are writable by the web server.

NuralStorm is also vulnerable to numerous cross site request forgery
(XSRF) attacks because forms for input do not have any protection
mechanisms, such as one time tokens, implemented.

NuralStorm contains an information disclosure vulnerability because it
does not sanitize input to the book.php page.  Attackers requesting a
URL could expose the addressbook of the valid system users.

NuralStorm contains a reflected XSS vulnerability in book_include.php
because it fails to sanitize the BGCOLOR parameter before it is included
in the page display.  Attackers can exploit this vulnerability via URL.

NuralStorm contains an arbitrary file deletion vulnerability in
maintenance.php.  Attackers can use URL variables to cause the web
server to delete arbitrary files.

NuralStorm allows arbitrary email to be relayed via problems.php without
authentication.  This vulnerability can be exploited via maliciously
crafted URL parameters.

NuralStorm settings.php contains an unauthenticated arbitrary file write
vulnerability.  Attackers can use this vulnerability to write arbitrary
PHP to directories writable by the web server.  This vulnerability could
be used to inject PHP shell backdoors.

Systems affected:
- -----------------
NuralStorm 0.985 b was tested and shown to be vulnerable.

Impact
- ------
Highly critical.  Attackers could use XSS in message sent to victims to
perform all of the attacks described above, including the arbitrary file
upload attack.  Using the proof of concept below unauthorized attackers
can write arbitrary PHP with privileges of the web server.  This could
lead to PHP shell injection and web server compromise.  A denial of
service threat exists where the web server has access to delete files.
XSS attacks could reveal credentials as these are stored unencrypted in
cookies.  Because NuralStorm uses account credentials for POP/IMAP
authentication these credentials are likely to provide shell access (SSH
or Telnet), therefore credential exposure could provide shell access.

Vendor Response
- ---------------
Contact attempts with vendor have been unsuccessful, emails to all
published contacts (including domain registrants) bounced.  The project
was last updated nearly 8 years ago so it is reasonable to assume that
it has been abandoned.

- -- 
Justin C. Klein Keane
http://www.MadIrish.net

The digital signature on this message can be confirmed
using the public key at http://www.madirish.net/gpgkey
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPwEAQECAAYFAkw7BQQACgkQkSlsbLsN1gAy3gb+JT0KxlQY4V5ToJJmURd7s/HB
mg0ombm/M97rsMwZokCO2Kz5he/HMXWeDm6eOYP+F12CDjjK6gn40Z/TccCn7WV2
uzrUQIVKxKxPbArpYcVogN7VMwhTLa3BNwRf3ZwyaWedvkFFUKLdbdkQbIXnUeyr
4wj5Dpbp1yvtOnaKtUeVXZGn2r2Xokc6INw9CYvazzol+nlbfCgvRXYmTT8EWZLT
GOAkIWPynKip+MEJJkTbrDgE5r08NgkdL18MTLC0Im5kqoLb6tWeAc9YAZn28yYy
ZHi8T3KJv+ZD8IUCvzc=
=dSOs
-----END PGP SIGNATURE-----