Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-Disclosure] ITTS ADVISORE 01/05 - Uebimiau <= 2.7.2 Multiples Vuln

from [Martin Fallon] Network Security [Permanent Link]
Subject: [Full-Disclosure] ITTS ADVISORE 01/05 - Uebimiau <= 2.7.2 Multiples Vulnerabilities
Date: Thu, 27 Jan 2005 09:09:00 -0300 (ART) 
ADVISORE 01  15/01/2005

INTRUDERS TIGER TEAM SECURITY - SECURITY ADVISORE

       http://www.intruders.com.br/
       http://www.intruders.org.br/


ADVISORE/0105 - UEBIMIAU < 2.7.2 MULTIPLES
VULNERABILITIES

PRIORITY: HIGH


I - INTRODUCTION:
----------------


From http://www.uebimiau.org/


"UebiMiau is a simple, yet efficient cross-plataform
POP3/IMAP mail
reader written in PHP. It's have some many features,
such as: Folders,
View and Send Attachments, Preferences, Search, Quota
Limit, etc.
UebiMiau DOES NOT require database or extra PHP
modules (--with-imap)"


II - DESCRIPTION:
------------------

Intruders Tiger Team Security has identified multiples
vulnerabilities in Uebimiau WebMail Server in default
installation that can be exploited by malicious users
to hijacking session files and others informations
in target system.
 
Intruders Tiger Team Security has discovered that many
systems are vulnerables.


III - ANALYSIS
---------------

Uebimiau in default installation create one
temporary folder to store "sessions" and other
files. This folder is defined in "inc/config.php"
as "./database/".

If the web administrator don't change this
folder, one attacker can exploit this using
the follow request:

http://server-target/database/_sessions/

If the Web server permit "directory listing",
the attacker can read session files.

Other problem live in the way that the files
of users are stored. In default installation
the files of the users are stored using
the follow model:

$temporary_directory/<user>_<domain>/

A attacker can access files of users requesting:

http://server-target/database/user_domain/

Where user is the target user and domain is
the target domain.

Intruders Tiger Team Security has found many
servers vulnerable to these attacks.


IV. DETECTION
-------------

Intruders Tiger Team Security has confirmed the
existence 
of this vulnerability in Uebimiau version 2.7.2. 
 
Other versions possibly vulnerable too.


V. WORKAROUND
--------------

1 STEP - Insert index.php in each directory of the
Uebimiau.

2 STEP - Set variable $temporary_directory to a
directory 
not public and with restricted access, set permission
as read
only to "web server user" for each files in
$temporary_directory.

3 STEP - Set open_basedir in httpd.conf to yours
clients follow  
the model below:

<Directory /server-target/public_html>
php_admin_value open_basedir
/server-target/public_html
</Directory>


VI - VENDOR RESPONSE
--------------------

15/01/2005 - Flaw discovered. 
18/01/2005 - Contacted Uebimiau Team. 
20/01/2005 - Vendor response. 
26/01/2005 - Advisore published.


VII - CREDITS
-------------

Glaudson Ocampos(Nash Leon) and Intruders Tiger Team  
Security has discovery this vulnerability. 
 
Thanks to Wendel Guglielmetti Henrique (dum_dum) and
Waldemar Nehgme from securityopensource.org.br. 
 
Visit Intruders Tiger Team Security  Web Site  for
more advisores: 
  
http://www.intruders.com.br/ 
http://www.intruders.org.br/


        
        
                
_______________________________________________________ 
Yahoo! Acesso Grátis - Instale o discador do Yahoo! agora. 
http://br.acesso.yahoo.com/ - Internet rápida e grátis
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-Disclosure] ITTS ADVISORE 01/05 - Uebimiau <= 2.7.2 Multiples Vulnerabilities, Martin Fallon <=
Previous by Date:  Re: [Full-Disclosure] /usr/bin/trn local root exploit, Wojciech Pawlikowski
Next by Date:  [Full-Disclosure] Re: Slackware security updates, Matteo Giannone
Previous by Thread:  [Full-Disclosure] Registration is accepted, Martin.pitt
Next by Thread:  [Full-Disclosure] Re: Slackware security updates, Matteo Giannone
Indexes:  [Date] [Thread] [Top] [All Lists]