ADVISORE 01  15/01/2005

INTRUDERS TIGER TEAM SECURITY - SECURITY ADVISORE

       http://www.intruders.com.br/
       http://www.intruders.org.br/


ADVISORE/0105 - UEBIMIAU < 2.7.2 MULTIPLES
VULNERABILITIES

PRIORITY: HIGH


I - INTRODUCTION:
----------------

>>From http://www.uebimiau.org/

"UebiMiau is a simple, yet efficient cross-plataform
POP3/IMAP mail
reader written in PHP. It's have some many features,
such as: Folders,
View and Send Attachments, Preferences, Search, Quota
Limit, etc.
UebiMiau DOES NOT require database or extra PHP
modules (--with-imap)"


II - DESCRIPTION:
------------------

Intruders Tiger Team Security has identified multiples
vulnerabilities in Uebimiau WebMail Server in default
installation that can be exploited by malicious users
to hijacking session files and others informations
in target system.
 
Intruders Tiger Team Security has discovered that many
systems are vulnerables.


III - ANALYSIS
---------------

Uebimiau in default installation create one
temporary folder to store "sessions" and other
files. This folder is defined in "inc/config.php"
as "./database/".

If the web administrator don't change this
folder, one attacker can exploit this using
the follow request:

http://server-target/database/_sessions/

If the Web server permit "directory listing",
the attacker can read session files.

Other problem live in the way that the files
of users are stored. In default installation
the files of the users are stored using
the follow model:

$temporary_directory/<user>_<domain>/

A attacker can access files of users requesting:

http://server-target/database/user_domain/

Where user is the target user and domain is
the target domain.

Intruders Tiger Team Security has found many
servers vulnerable to these attacks.


IV. DETECTION
-------------

Intruders Tiger Team Security has confirmed the
existence 
of this vulnerability in Uebimiau version 2.7.2. 
 
Other versions possibly vulnerable too.


V. WORKAROUND
--------------

1 STEP - Insert index.php in each directory of the
Uebimiau.

2 STEP - Set variable $temporary_directory to a
directory 
not public and with restricted access, set permission
as read
only to "web server user" for each files in
$temporary_directory.

3 STEP - Set open_basedir in httpd.conf to yours
clients follow  
the model below:

<Directory /server-target/public_html>
php_admin_value open_basedir
/server-target/public_html
</Directory>


VI - VENDOR RESPONSE
--------------------

15/01/2005 - Flaw discovered. 
18/01/2005 - Contacted Uebimiau Team. 
20/01/2005 - Vendor response. 
26/01/2005 - Advisore published.


VII - CREDITS
-------------

Glaudson Ocampos(Nash Leon) and Intruders Tiger Team  
Security has discovery this vulnerability. 
 
Thanks to Wendel Guglielmetti Henrique (dum_dum) and
Waldemar Nehgme from securityopensource.org.br. 
 
Visit Intruders Tiger Team Security  Web Site  for
more advisores: 
  
http://www.intruders.com.br/ 
http://www.intruders.org.br/


  
  
    
_______________________________________________________ 
Yahoo! Acesso Grátis - Instale o discador do Yahoo! agora. http://br.acesso.yahoo.com/ - Internet rápida e grátis