ADVISORE 01 15/01/2005 INTRUDERS TIGER TEAM SECURITY - SECURITY ADVISORE http://www.intruders.com.br/ http://www.intruders.org.br/ ADVISORE/0105 - UEBIMIAU < 2.7.2 MULTIPLES VULNERABILITIES PRIORITY: HIGH I - INTRODUCTION: ---------------- >>From http://www.uebimiau.org/ "UebiMiau is a simple, yet efficient cross-plataform POP3/IMAP mail reader written in PHP. It's have some many features, such as: Folders, View and Send Attachments, Preferences, Search, Quota Limit, etc. UebiMiau DOES NOT require database or extra PHP modules (--with-imap)" II - DESCRIPTION: ------------------ Intruders Tiger Team Security has identified multiples vulnerabilities in Uebimiau WebMail Server in default installation that can be exploited by malicious users to hijacking session files and others informations in target system. Intruders Tiger Team Security has discovered that many systems are vulnerables. III - ANALYSIS --------------- Uebimiau in default installation create one temporary folder to store "sessions" and other files. This folder is defined in "inc/config.php" as "./database/". If the web administrator don't change this folder, one attacker can exploit this using the follow request: http://server-target/database/_sessions/ If the Web server permit "directory listing", the attacker can read session files. Other problem live in the way that the files of users are stored. In default installation the files of the users are stored using the follow model: $temporary_directory/_/ A attacker can access files of users requesting: http://server-target/database/user_domain/ Where user is the target user and domain is the target domain. Intruders Tiger Team Security has found many servers vulnerable to these attacks. IV. DETECTION ------------- Intruders Tiger Team Security has confirmed the existence of this vulnerability in Uebimiau version 2.7.2. Other versions possibly vulnerable too. V. WORKAROUND -------------- 1 STEP - Insert index.php in each directory of the Uebimiau. 2 STEP - Set variable $temporary_directory to a directory not public and with restricted access, set permission as read only to "web server user" for each files in $temporary_directory. 3 STEP - Set open_basedir in httpd.conf to yours clients follow the model below: php_admin_value open_basedir /server-target/public_html VI - VENDOR RESPONSE -------------------- 15/01/2005 - Flaw discovered. 18/01/2005 - Contacted Uebimiau Team. 20/01/2005 - Vendor response. 26/01/2005 - Advisore published. VII - CREDITS ------------- Glaudson Ocampos(Nash Leon) and Intruders Tiger Team Security has discovery this vulnerability. Thanks to Wendel Guglielmetti Henrique (dum_dum) and Waldemar Nehgme from securityopensource.org.br. Visit Intruders Tiger Team Security Web Site for more advisores: http://www.intruders.com.br/ http://www.intruders.org.br/ _______________________________________________________ Yahoo! Acesso Grátis - Instale o discador do Yahoo! agora. http://br.acesso.yahoo.com/ - Internet rápida e grátis _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html