OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Cyclonic Webmail 4 multiple vulnerabilities

From: Somers Raf (raf.Somerspandora.be)
Date: Wed Dec 10 2003 - 19:00:26 CST


Software: Cyclonic Webmail
Version : 4
vendor : Stallion Networking

1. Software description
   ----------------------

Cyclonic is a webbased interface allowing users to handle emails
stored on a POP Server.
This software is Freeware

2. Vulnerability description
   -------------------------
    - bypassing the login script
    - reading other users data and/or emails
    - session hijacking
    - spoofing emails
    - possibility to put files in the webroot

3. Problems with user authentification
   ------------------------------------
File: cyclonic.pl

A user is asked to enter a username, a password and the address
of the popserver. Since the server is specified by the client,
ANY POP can be given. The script passes the username and password
to a POP server and uses the server-responses to validate a user.
Once validated it requests that users mailboxstatus on the POP
server with the STAT command.

This procedure allone has a few problems.
First of all, ANYONE with a POP account can use your Webserver
and bandwidth to read his emails, no matter it's your mailserver
or that of some other provider.
Secondly, for some exploits described further down, one will
need to login. This can easilly be accomplished by validating
yourself with one of your own emailaccounts with another provider
or a little script that fakes POP responses.

4. Session Hijacking
   -------------------

Once you are logged in, the only authentification method the scripts
will use is a SessionID, that is passed from one script to another
tru the URL. So if you know a sessionID from other sessions you could
easilly hijack that session. Sessiondata is stored in a file that has
the sessionID as name, by default this is in a subfolder named /sids/.
So if the webserver has directorylistin enabled, one can easilly
obtain other session ID's by surfing to the /sids/ subfolder and then
use this ID to 'hijack' another session.

cyclonic.pl?SESSIONID=***********&CURRENTFOLDER=Inbox

(replace *'s with the sessionID)

5. Problems with default storage directories
   ------------------------------------------
By default the userdata is stored in a subfolder called /users/. If a users
reads an
email with the webinterface, the email, and any attachment, is stored in
/users/USERNAME/DECODE/ , making it accessoble to anyone. emails are stored
within this
folder without any form of encryption. Also stored in the users folder, in
cleartext, is
the users addressbook.

Since attachments, are stored, unencrypted, within the webroot, theoraticaly
one is able
to set up scripts and run them on the server.

6. Spoofing emails
   -----------------

As described in point 3, bypassing the login is easy, either by using a 3d
party POP server,
or by session hijacking. When this is done the user can go to the options
screen to set his
name and emailaddress. these values are used when sending email.
Cyclonic reads email from a POP account, but for sending emails it uses an
internel mailserver.
By specifying a username and emailadres (not validated in ANY way) a user
can completely
hide himself. Sending an email as 'adminhostingserver.net' would look
perfectly legitimate.

Best regards

Somers Raf