=================================================
Secure Reality Pty Ltd. Security Advisory #3 (SRADV00003)
http://www.securereality.com.au
=================================================

[Title]
Arbitrary file disclosure through IMP

[Released]
12/09/2000

[Vulnerable]
Most (all?) versions of IMP < 2.2.1 

[Overview]
IMP is an extremely powerful and widespread webmail application 
in PHP. In investigating the PHP file upload issue discussed in 
SRADV0001 (http://www.securereality.com.au/sradv00001.html) we tested 
many popular PHP scripts which supported file upload. All of them were 
vulnerable to the problem in the form given, except IMP. By luck it 
managed to avoid this problem, it is however still vulnerable to 
arbitrary disclosure of files readable by the web user (typically 
'nobody') via an alternative method.
 
Shame we released this advisory a little late, for those not aware 
a serious bug has been found in Horde (a library that IMP uses) that 
allows remote command execution. For more detail on this problem see
http://www.securityfocus.com/bid/1674. This means most users will 
(hopefully) have updated at least the Horde library to the latest version,
however, those who only updated the Horde library and not IMP in addition 
will be vulnerable to this problem.

[Impact]
File Disclosure
 
[Detail]
IMP is not vulnerable to most forms of the method described in 
SRADV00001 because it to copy the specified file to its current location 
with .att appended. That is, if the filename were '/etc/passwd', it 
attempts to copy the file to '/etc/passwd.att'. This will almost always 
fail, since the web user is unlikely to have access to write files 
in the directories specified.
 
However, IMP makes the mistake of storing hidden variables in a form which 
if modified can cause insecure behaviour. In order to keep track of the 
attachments for an email being composed in compose.php, it stores in the 
form variables like the following:
     <input type="hidden" name="attachments_name[]" value="hello.txt">
     <input type="hidden" name="attachments_size[]" value="68">
     <input type="hidden" name="attachments_file[]" value="/var/tmp/phpAAA0kwGF6.att">
     <input type="hidden" name="attachments_type[]" value="text/plain">

Modifying the attachments_name[] hidden variable will cause IMP to email 
as an attachment any file it can read with web user privleges. Additionally 
it will try to unlink this file once complete, which could potentially 
be used to cause damage.

[Fix]
Please upgrade to the latest versions:
IMP 2.2.1 ftp://ftp.horde.org/pub/imp/
Horde 1.2.1 ftp://ftp.horde.org/pub/horde/

 
[Credits]
Our thanks to Chuck Hagenbuch, a member of the IMP team for his assistance 
in quickly fixing this problem and cutting a new version.

[Disclaimer]
Advice, directions and instructions on security vulnerabilities in this
advisory do not constitute: an endorsement of illegal behaviour; a guarantee
that protection measures will work; an endorsement of any product or
solution or recommendations on behalf of Secure Reality Pty Ltd. Content is
provided as is and Secure Reality does not accept responsibity for any
damange or injury caused as a result of its use.