COMMAND
IMP
SYSTEMS AFFECTED
Most (all?) versions of IMP < 2.2.1=20
PROBLEM
Following is based on a Secure Reality Security Advisory #3
(SRADV00003). IMP is an extremely powerful and widespread webmail
application in PHP. In investigating the PHP file upload issue
discussed in SRADV0001 SR tested many popular PHP scripts which
supported file upload. SRAD00001 ia available at this site:
http://oliver.efri.hr/~crv/security/bugs/Others/aportal.html
All of them were vulnerable to the problem in the form given,
except IMP. By luck it managed to avoid this problem, it is
however still vulnerable to arbitrary disclosure of files readable
by the web user (typically 'nobody') via an alternative method.
IMP is not vulnerable to most forms of the method described in
SRADV00001 because it to copy the specified file to its current
location with .att appended. That is, if the filename were
'/etc/passwd', it attempts to copy the file to '/etc/passwd.att'.
This will almost always fail, since the web user is unlikely to
have access to write files in the directories specified.
However, IMP makes the mistake of storing hidden variables in a
form which if modified can cause insecure behaviour. In order to
keep track of the attachments for an email being composed in
compose.php, it stores in the form variables like the following
<input type="hidden" name="attachments_name[]" value="hello.txt">
<input type="hidden" name="attachments_size[]" value="68">
<input type="hidden" name="attachments_file[]" value="/var/tmp/phpAAA0kwGF6.att">
<input type="hidden" name="attachments_type[]" value="text/plain">
Modifying the attachments_name[] hidden variable will cause IMP to
email as an attachment any file it can read with web user
privleges. Additionally it will try to unlink this file once
complete, which could potentially be used to cause damage.
SOLUTION
Please upgrade to the latest versions:
IMP 2.2.1 ftp://ftp.horde.org/pub/imp/
Horde 1.2.1 ftp://ftp.horde.org/pub/horde/