(SRADV00003) Arbitrary file disclosure through IMP

[Secure Reality Advisories <create () SECUREREALITY COM AU>]

=================================================
Secure Reality Pty Ltd. Security Advisory #3 (SRADV00003)
http://www.securereality.com.au
=================================================

[Title]
Arbitrary file disclosure through IMP

[Released]
12/09/2000

[Vulnerable]
Most (all?) versions of IMP < 2.2.1 

[Overview]
IMP is an extremely powerful and widespread webmail application in PHP. In investigating the PHP file upload issue 
discussed in SRADV0001 we tested many popular PHP scripts which supported file upload. All of them were vulnerable to 
the problem in the form given, except IMP. By luck it managed to avoid this problem, it is however still vulnerable to 
arbitrary disclosure of files readable by the web user (typically 'nobody') via an alternative method.

Shame we released this advisory a little late, for those not aware a serious bug has been found in Horde (a library 
that IMP uses) that allows remote command execution. For more detail on this problem see 
http://www.securityfocus.com/templates/archive.pike?mid=81141&threads=0&end=2000-09-09&start=2000-09-03&list=1&fromthread=0.
 This means most users will (hopefully) have updated at least the Horde library to the latest version, however, those 
who only updated the Horde library and not IMP in addition will be vulnerable to this problem.

[Impact]
File Disclosure

[Detail]
IMP is not vulnerable to most forms of the method described in SRADV00001 because it to  copy the specified file to its 
current location with .att appended. That is, if the filename were '/etc/passwd', it attempts to copy the file to 
'/etc/passwd.att'. This will almost always fail, since the web user is unlikely to have access to write files in the 
directories specified.

However, IMP makes the mistake of storing hidden variables in a form which if modified can cause insecure behaviour. In 
order to keep track of the attachments for an email being composed in compose.php, it stores in the form variables like 
the following
     <input type="hidden" name="attachments_name[]" value="hello.txt">
     <input type="hidden" name="attachments_size[]" value="68">
     <input type="hidden" name="attachments_file[]" value="/var/tmp/phpAAA0kwGF6.att">
     <input type="hidden" name="attachments_type[]" value="text/plain">

Modifying the attachments_name[] hidden variable will cause IMP to email as an attachment any file it can read with web 
user privleges. Additionally it will try to unlink this file once complete, which could potentially be used to cause 
damage.

[Fix]
Please upgrade to the latest versions:
IMP 2.2.1 ftp://ftp.horde.org/pub/imp/
Horde 1.2.1 ftp://ftp.horde.org/pub/horde/


[Credits]
Our thanks to Chuck Hagenbuch, a member of the IMP team for his assistance in quickly fixing this problem and cutting a 
new version.

[Disclaimer]
Advice, directions and instructions on security vulnerabilities in this
advisory do not constitute: an endorsement of illegal behaviour; a guarantee
that protection measures will work; an endorsement of any product or
solution or recommendations on behalf of Secure Reality Pty Ltd. Content is
provided as is and Secure Reality does not accept responsibity for any
damange or injury caused as a result of its use.