Secunia Research: @Mail Webmail Attachment Upload Directory Traversal

====================================================================== 

                     Secunia Research 01/02/2006

       - @Mail Webmail Attachment Upload Directory Traversal -

====================================================================== 
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Description of Vulnerability.........................................3
Solution.............................................................4
Time Table...........................................................5
Credits..............................................................6
References...........................................................7
About Secunia........................................................8
Verification.........................................................9

====================================================================== 
1) Affected Software 

* @Mail 4.3 for Windows

Other versions may also be affected.

====================================================================== 
2) Severity 

Rating: Moderately Critical
Impact: System access
Where:  Remote

====================================================================== 
3) Description of Vulnerability

Secunia Research has discovered a vulnerability in @Mail Webmail, 
which can be exploited by malicious users to compromise a vulnerable
system.

The vulnerability is caused due to the lack of sanitisation of the
"unique" parameter in compose.pl before using the value to construct
a filename for saving an uploaded mail attachment. This can be
exploited to upload files to arbitrary directories on the server with
privileges of the webserver via directory traversal attacks. The
default installation of the Windows version runs the Apache webserver
with SYSTEM privileges.

Successful exploitation allows execution of arbitrary Perl code by
e.g. uploading a Perl file into the webmail directory.

====================================================================== 
4) Solution 

The vendor has provided a source code patch (see vendor's original
advisory).

A patch will be available for download by 2006-02-07.

====================================================================== 
5) Time Table 

30/01/2006 - Initial vendor notification.
30/01/2006 - Initial vendor reply.
01/02/2006 - Vendor releases source code patch.
01/02/2006 - Public disclosure.

====================================================================== 
6) Credits 

Discovered by Tan Chew Keong, Secunia Research.

====================================================================== 
7) References

CalaCode:
http://kb.atmail.com/view_article.php?num=374

====================================================================== 
8) About Secunia 

Secunia collects, validates, assesses, and writes advisories regarding 
all the latest software vulnerabilities disclosed to the public. These 
advisories are gathered in a publicly available database at the 
Secunia website: 

http://secunia.com/

Secunia offers services to our customers enabling them to receive all 
relevant vulnerability information to their specific system 
configuration. 

Secunia offers a FREE mailing list called Secunia Security Advisories: 

http://secunia.com/secunia_security_advisories/

====================================================================== 
9) Verification 

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2006-2/advisory/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================