COMMAND
IMP
SYSTEMS AFFECTED
Imp-2.2.4
PROBLEM
Jarno Huuskonen found following. Only tested imp-2.2.4 on Linux
and AIX (with php-4.0.5/php-3.0.18) but AFAIK all platforms are
affected. There is a possible local file overwrite (symlink
attack).
Imp-webmail uses predictable temporary filenames when handling
uploaded attachments or when 'viewing' attachments.
Uploaded attachments:
=====================
When a user composes a new email all the attachments are uploaded
to the webmail server. First PHP handles the file upload and
creates a temporary file (the file is created in php.ini
'upload_tmp_dir' or /tmp). The temporary filename is something
like /tmp/phpXXXXXX (where X's are 'random'). After this imp's
compose.php3 copies this temporary file for safekeeping. The
destination filename imp uses is /tmp/phpXXXXXX.att, but imp fails
to check if the destination exists (and the destination file is
opened without the O_EXCL flag). So the attacker can watch /tmp
(or upload_tmp_dir) for phpXXXXXX files and then quickly create a
symlink:
ln -s /tmp/phpXXXXXX.att /to/webserver_writable_file
Attachment viewers:
===================
Imp can use external viewers for viewing email attachments like
zip-files. Before calling these viewers imp
(imp/lib/mimetypes.lib) saves the attachment into a temporary
file. These filenames are something like:
/tmp/imp.'.date('Y-M-D_H:i:s').'__'.md5($contents)
So the filename is quite easy to guess and the file is opened
without O_EXCL (so creating a bunch of /tmp/imp.... symlinks is
also possible) (Note: John Paris has discovered this earlier).
SOLUTION
Upgrade to imp-2.2.5 and use the 'upload_tmp_dir' directive
(php.ini) to define a directory where uploaded files should go
(see imp/docs/SECURITY for more information).
Note: Imp-2.2.5 uses the PHP tempnam function for creating
temporary files. With PHP versions earlier than 4.0.3? the
tempnam function doesn't use mkstemp (so it has a race condition)
so upgrading to PHP-4.0.5 or patching PHP-3.0.18 to use mkstemp
is advisable.