IMP File Disclosure Vulnerability
BID:1679
Info
IMP File Disclosure Vulnerability
| Bugtraq ID: | 1679 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Sep 12 2000 12:00AM |
| Updated: | Sep 12 2000 12:00AM |
| Credit: | This vulnerability was posted to the Bugtraq mailing list by "Secure Reality Advisories" <[email protected]> on Tue, 12 Sep 2000. |
| Vulnerable: |
Horde Project IMP 2.2 Horde Project IMP 2.0 |
| Not Vulnerable: |
Horde Project IMP 2.2.1 |
Discussion
IMP File Disclosure Vulnerability
IMP is a set of PHP scripts that implement an IMAP based webmail system. Certain versions of IMP are vulnerable to a remote attack which allows attackers to have files on the server running IMP mailed to them.
This vulnerability is due to the fact that user supplied variables may be set to the PHP script. The script is in proper operation supposed to use these pre-defined variables to track attachments being composed through IMP. The variable in particular:
attachments_name[]
Can be supplied by the user with a file which he/she would not normally be able to read. This action is performed by the user privilege level at which IMP is being run. The file which can be read are therefore dependant on this. In addition to mailing this file to the attacker IMP will further attempt to unlink it. If the the file is writable by the user running IMP the file will be deleted.
IMP is a set of PHP scripts that implement an IMAP based webmail system. Certain versions of IMP are vulnerable to a remote attack which allows attackers to have files on the server running IMP mailed to them.
This vulnerability is due to the fact that user supplied variables may be set to the PHP script. The script is in proper operation supposed to use these pre-defined variables to track attachments being composed through IMP. The variable in particular:
attachments_name[]
Can be supplied by the user with a file which he/she would not normally be able to read. This action is performed by the user privilege level at which IMP is being run. The file which can be read are therefore dependant on this. In addition to mailing this file to the attacker IMP will further attempt to unlink it. If the the file is writable by the user running IMP the file will be deleted.
Exploit / POC
IMP File Disclosure Vulnerability
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution / Fix
IMP File Disclosure Vulnerability
Horde Project IMP 2.0
Horde Project IMP 2.2
Horde Project IMP 2.0
-
Horde.org IMP File Disclosure Fix
ftp://ftp.horde.org/pub/imp/
Horde Project IMP 2.2
-
Horde.org IMP File Disclosure Fix
ftp://ftp.horde.org/pub/imp/
References
IMP File Disclosure Vulnerability
References:
References:
- IMP Homepage (Horde.org)
- PHP Arbitrary File Disclosure - original PHP posting (PHP Development Team.)
- PHP Support (PHP Development Team.)