COMMAND

    IMP

SYSTEMS AFFECTED

    Most (all?) versions of IMP < 2.2.1=20

PROBLEM

    Following  is  based  on  a  Secure  Reality  Security Advisory #3
    (SRADV00003).  IMP is an extremely powerful and widespread webmail
    application in PHP.   In investigating the  PHP file upload  issue
    discussed in SRADV0001  SR tested many  popular PHP scripts  which
    supported file upload.  SRAD00001 ia available at this site:

        http://oliver.efri.hr/~crv/security/bugs/Others/aportal.html

    All of  them were  vulnerable to  the problem  in the  form given,
    except IMP.   By luck  it managed  to avoid  this problem,  it  is
    however still vulnerable to arbitrary disclosure of files readable
    by the web user (typically 'nobody') via an alternative method.

    IMP is  not vulnerable  to most  forms of  the method described in
    SRADV00001 because it to   copy the specified file to  its current
    location  with  .att  appended.   That  is,  if  the filename were
    '/etc/passwd', it attempts to copy the file to  '/etc/passwd.att'.
    This will almost  always fail, since  the web user  is unlikely to
    have access to write files in the directories specified.

    However, IMP makes  the mistake of  storing hidden variables  in a
    form which if modified can cause insecure behaviour.  In order  to
    keep  track  of  the  attachments  for  an email being composed in
    compose.php, it stores in the form variables like the following

        <input type="hidden" name="attachments_name[]" value="hello.txt">
        <input type="hidden" name="attachments_size[]" value="68">
        <input type="hidden" name="attachments_file[]" value="/var/tmp/phpAAA0kwGF6.att">
        <input type="hidden" name="attachments_type[]" value="text/plain">

    Modifying the attachments_name[] hidden variable will cause IMP to
    email  as  an  attachment  any  file  it  can  read  with web user
    privleges.   Additionally it  will try  to unlink  this file  once
    complete, which could potentially be used to cause damage.

SOLUTION

    Please upgrade to the latest versions:

        IMP 2.2.1 ftp://ftp.horde.org/pub/imp/
        Horde 1.2.1 ftp://ftp.horde.org/pub/horde/