Title: V-webmail Release Date: 2008-10-05 Application: V-webmail 1.5.0 Author: Brian Martin Cross Ref: CVE-2008-3057, CVE-2008-3058, CVE-2008-3059 OSVDB 48793, 48794, 48795, 48796 Reference: http://osvdb.org/ref/48/48-v-webmail.txt Description: ------------ "What is V-webmail? V-webmail is a powerful PHP based webmail application with an abundance of features, including many innovative ideas for web applications..." During a recent vulnerability assessment, a brief unauthenticated review of an older V-webmail installation was performed. The testing was not thorough due to a lack of time and credentials. The following issues were noticed: #1 - imap_open Function Path Disclosure If unexpected input is provided to the login page, the resulting error page includes the full installation path: Warning: imap_open(): Couldn't open stream {:} in /var/web/v-webmail/includes/local.hooks.php on line 76 can't connect: Can't open mailbox {:}: invalid remote specification #2 - login.php Possible SQL Injection When providing malformed input (e.g. ' in the username field) to the login page, the resulting error message indicates the application may be susceptible to SQL Injection: Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/web/v-webmail/includes/local.hooks.php on line 48 Note: Due to time restraints, this could not be fully tested. However, based on the difference in error messages and other vulnerabilities, it is likely this software suffers from SQL injection. #3 - V-webmail Temporary Directory Disclosure By providing invalid session data to the application, the resulting error message discloses the temporary directory used by V-webmail: Can't open mailbox {:}: invalid remote specification Warning: Unknown(): The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9 in Unknown on line 0 Warning: Unknown(): Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/tmp) in Unknown on line 0 #4 - redirect.php Arbitrary Site Redirect The redirect.php script allows an attacker to send a URL with an arbitrary site in the 'to' variable. If clicked, the V-webmail application will silently redirect the user to the arbitrary site. Such an attack can be helpful in phishing style attacks as the URL may appear to be a trusted site. https://[target]/redirect.php?to=http://[attacker]/ #5 - Cross-frame Scripting As described in CVE-2004-2383, the Oempro application does not implement code to prevent Cross-frame scripting attacks. This can be used to construct phishing attacks to more convincingly steal user credentials. Note: this issue also affects some Konqueror users. Product Details: ---------------- Vendor: V-webmail Development Team Product: V-webmail Version: 1.5.0 Proof of Concept: ----------------- Solution: --------- None Disclosure Timeline: -------------------- 2008-07-02: Vulnerability Discovered 2008-07-05: Disclosed to Vendor 2008-07-07: CVE numbers assigned 2008-10-05: No Vendor Acknowledgement, project appears dead on forum 2008-10-05: Public Disclosure CVE: ---- This issue is a candidate for inclusion in the Common Vulnerabilities and Exposures (CVE) list (http://cve.mitre.org), which standardizes names for security problems. The CVE initiative has assigned CVE Candidate CVE-2008-3060 (path disclosure), CVE-2008-3063 (SQL injection) and CVE-2008-3061 (redirect) to this issue. References: ----------- OSVDB: http://osvdb.org/ Vendor: http://v-webmail.sourceforge.net/ Creditee: --------- Brian Martin