Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Jarno Huuskonen (Jarno.Huuskonenuku.fi)
Date: Thu May 31 2001 - 05:15:26 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

                 Imp-2.2.4 creates insecure temporary files.
                                Thu May 31 2001

     Jarno Huuskonen <Jarno.Huuskonenuku.fi>

     Wed 16 May 2001

     Horde project 'dev' mailing list contacted on Fri 18 May 2001[1].
     Imp-2.2.5 is available from http://www.horde.org/imp/

     Only tested imp-2.2.4 on Linux and AIX (with php-4.0.5/php-3.0.18)
     but AFAIK all platforms are affected.

     Possible local file overwrite (symlink attack). (For more information
     about race conditions see[2]).

     Imp-webmail uses predictable temporary filenames when handling
     uploaded attachments or when 'viewing' attachments.

     Uploaded attachments:
     When a user composes a new email all the attachments are uploaded to
     the webmail server. First PHP handles the file upload and creates a
     temporary file (the file is created in php.ini 'upload_tmp_dir' or
     /tmp). The temporary filename is something like /tmp/phpXXXXXX
     (where X's are 'random'). After this imp's compose.php3 copies this
     temporary file for safekeeping.
     The destination filename imp uses is /tmp/phpXXXXXX.att, but imp fails
     to check if the destination exists (and the destination file is opened
     without the O_EXCL flag). So the attacker can watch /tmp (or
     upload_tmp_dir) for phpXXXXXX files and then quickly create a symlink:
     'ln -s /tmp/phpXXXXXX.att /to/webserver_writable_file'
    Attachment viewers:
     Imp can use external viewers for viewing email attachments like
     zip-files. Before calling these viewers imp (imp/lib/mimetypes.lib)
     saves the attachment into a temporary file. These filenames are
     something like: /tmp/imp.'.date('Y-M-D_H:i:s').'__'.md5($contents).
     So the filename is quite easy to guess and the file is opened
     without O_EXCL (so creating a bunch of /tmp/imp.... symlinks is also
     possible) (Note: Jon Parise has discovered this earlier[3]).

     Upgrade to imp-2.2.5 and use the 'upload_tmp_dir' directive (php.ini)
     to define a directory where uploaded files should go (see
     imp/docs/SECURITY for more information).

     Note: Imp-2.2.5 uses the PHP tempnam function for creating temporary
     files. With PHP versions earlier than 4.0.3? the tempnam function
     doesn't use mkstemp (so it has a race condition) so upgrading to
     PHP-4.0.5 or patching PHP-3.0.18 to use mkstemp is advisable[4].

     I would like to thank the horde team for creating a great webmail

     devhorde.org discussion about imp tempfile problems.

     David A. Wheeler: Secure Programming for Linux and Unix HOWTO.

     Patch for the imp/lib/mimetypes.lib temp file problem.

     PHP tempnam function.


    Jarno Huuskonen <Jarno.Huuskonenuku.fi>