Security Advice #3

You can view a plain text version of this advisory here

Released
12/09/2000

Vulnerable
Most (all?) versions of IMP < 2.2.1

Overview
IMP is an extremely powerful and widespread webmail application in PHP. In investigating the PHP file upload issue discussed in SRADV0001 we tested many popular PHP scripts which supported file upload. All of them were vulnerable to the problem in the form given, except IMP. By luck it managed to avoid this problem, it is however still vulnerable to arbitrary disclosure of files readable by the web user (typically ‘nobody’) via an alternative method.

Shame we released this advisory a little late, for those not aware a serious bug has been found in Horde (a library that IMP uses) that allows remote command execution. This means most users will (hopefully) have updated at least the Horde library to the latest version, however, those who only updated the Horde library and not IMP in addition will be vulnerable to this problem.

Impact
File disclosure

Detail
IMP is not vulnerable to most forms of the method described in SRADV00001 because it to copy the specified file to its current location with .att appended. That is, if the filename were ‘/etc/passwd’, it attempts to copy the file to ‘/etc/passwd.att’. This will almost always fail, since the web user is unlikely to have access to write files in the directories specified.

However, IMP makes the mistake of storing hidden variables in a form which if modified can cause insecure behaviour. In order to keep track of the attachments for an email being composed in compose.php, it stores in the form variables like the following:
&lt;input type=”hidden” name=”attachments_name[]” value=”hello.txt”&gt; &lt;input type=”hidden” name=”attachments_size[]” value=”68″&gt; &lt;input type=”hidden” name=”attachments_file[]” value=”/var/tmp/phpAAA0kwGF6.att”&gt; &lt;input type=”hidden” name=”attachments_type[]” value=”text/plain”&gt; Modifying the attachments_name[] hidden variable will cause IMP to email as an attachment any file it can read with web user privleges. Additionally it will try to unlink this file once complete, which could potentially be used to cause damage.

Fix
Please upgrade to the latest versions:
IMP 2.2.1 at ftp://ftp.horde.org/pub/imp/
Horde 1.2.1 at ftp://ftp.horde.org/pub/horde/