Secure Reality Pty Ltd. Security Advisory #3 (SRADV00003)

You can view a plain text version of this advisory here

Released
12/09/2000

Vulnerable
Most (all?) versions of IMP < 2.2.1

Overview
IMP is an extremely powerful and widespread webmail application in PHP. In investigating the PHP file upload issue discussed in SRADV0001 ( http://www.securereality.com.au/sradv00001.html) we tested many popular PHP scripts which supported file upload. All of them were vulnerable to the problem in the form given, except IMP. By luck it managed to avoid this problem, it is however still vulnerable to arbitrary disclosure of files readable by the web user (typically 'nobody') via an alternative method.

Shame we released this advisory a little late, for those not aware a serious bug has been found in Horde (a library that IMP uses) that allows remote command execution. For more detail on this problem see http://www.securityfocus.com/bid/1674. This means most users will (hopefully) have updated at least the Horde library to the latest version, however, those who only updated the Horde library and not IMP in addition will be vulnerable to this problem.

Impact
File disclosure

Detail
IMP is not vulnerable to most forms of the method described in SRADV00001 because it to copy the specified file to its current location with .att appended. That is, if the filename were '/etc/passwd', it attempts to copy the file to '/etc/passwd.att'. This will almost always fail, since the web user is unlikely to have access to write files in the directories specified.

However, IMP makes the mistake of storing hidden variables in a form which if modified can cause insecure behaviour. In order to keep track of the attachments for an email being composed in compose.php, it stores in the form variables like the following: