COMMAND

	Hypermail, webmail allows execution of local scripts

SYSTEMS AFFECTED

	Hypermail V.??

PROBLEM

	In qDefense Advisory Number QDAV-2001-11-1 [http://qDefense.com]
	

	Hypermail  converts  e-mails  into  HTML.  It  is  generally   used   to
	automatically create web archives of mailing  lists.  When  e-mails  are
	archived, attachments which are  included  are  archived  as  well.  The
	attachments are not modified before archival, and they are stored  under
	the filename contained in the e-mail.
	

	An attacker can therefore create an arbitrary file  on  the  web  server
	with an arbitrary extension. If the server  supports  SSI,  an  attacker
	can include SSI commands in a file, give it the SSI extension  (normally
	.shtml), and mail it. This will create the desired file on  the  server.
	The attacker can than cause the server to execute those SSI commands  by
	requesting the attachment.
	

	It should be noted that creation of arbitrary  files  on  a  web  server
	carries with it additional insecurites besides SSI, and  therefore  even
	servers that do not support SSI may be vulnerable.

SOLUTION

	Hypermail has been patched to convert .shtml extensions to .html. As  of
	this writing, no further correction has been taken.
	

	Servers should never allow  SSI,  CGI,  or  any  other  type  of  server
	processed content in the hypermail directory.
	

	 

	(C) 2001 qDefense Penetration Testing. qDefense Penetration Testing is a 

	subsidiary of Computer Modeling Corp.

	This document may be reproduced, in whole or in part, provided that no 

	modifications are made and that proper credit is given. Additionally, if it 

	is made available through hypertext, it must be accompanied by a link to 

	the qDefense Penetration Testing web site, http://qdefense.com.