Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Apps :: webmail3.htm

WebMail - hijack others' attachments


Affected,,, etc


    Philip  Stoev  found  following.   WebMail  (possibly
    software)   as   installed   on,,  and  others  allows  an  attacker  to hijack other
    people's attachments by  modifying the hidden  form fields on  the
    compose message form.   If a file  is attached to  a message,  the
    compose message form has a hidden form field that looks  something
    like this:

        filename.txt = /tmp/cache/24377.550

    By setting it  to a similar  value, one can  send email containing
    someone else's attachments.  For example:

        filename.txt = /tmp/cache/24377.549

    It was also possible to do ../..-style directory transversal.

    The nature of the problem lies in the following:
    1. User  is allowed  to reference  attachments belonging  to other
       users, that is, there were no file-ownership checks.
    2. User input was not validated for ".." character sequences.
    3. Naming of temporary files followed an easy-to-predict numbering

    This problem is trivial to  exploit by hand by saving  the compose
    message  HTML  form  locally  and  modifying  it.   However, it is
    imperative to  note that  enforcing strict  user-agent, cookie and
    referer check  does not  prevent such  vulnerabilities from  being
    exploited.  There are publicly  available tools (Such as The  ELZA
    at  that  allow  for  the  exploitation  of   such
    vulnerabilities, while  preserving stealth  behavior with  respect
    to cookies, referers and user-agent strings to the extent required
    to keep the web site software happy.


    The vendor has fixed this particular problem, however all web mail
    vendors are  hereby urged  to evaluate  their systems  for similar

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH