[SA18646] @Mail Webmail Attachment Upload Directory Traversal

TITLE:
@Mail Webmail Attachment Upload Directory Traversal

SECUNIA ADVISORY ID:
SA18646

VERIFY ADVISORY:
http://secunia.com/advisories/18646/

CRITICAL:
Moderately critical

IMPACT:
System access

WHERE:
>From remote

SOFTWARE:
@Mail 4.x
http://secunia.com/product/5459/

DESCRIPTION:
Secunia Research has discovered a vulnerability in @Mail Webmail,
which can be exploited by malicious users to compromise a vulnerable
system.

The vulnerability is caused due to the lack of sanitisation of the
"unique" parameter in compose.pl before using the value to construct
a filename for saving an uploaded mail attachment. This can be
exploited to upload files to arbitrary directories on the server with
privileges of the web server via directory traversal attacks. The
default installation of the Windows version runs the Apache web
server with SYSTEM privileges.

Successful exploitation allows execution of arbitrary Perl code by
e.g. uploading a Perl file into the webmail directory.

The vulnerability has been confirmed in version 4.3 and affects only
the Windows version.

SOLUTION:
The vendor has provided a source code patch (see vendor's original
advisory).

A patch will be available for download by 2006-02-07.

PROVIDED AND/OR DISCOVERED BY:
Tan Chew Keong, Secunia Research.

ORIGINAL ADVISORY:
CalaCode:
http://kb.atmail.com/view_article.php?num=374

Secunia Research:
http://secunia.com/secunia_research/2006-2/

---

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/

Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.