{"vuid":"VU#743555","idnumber":"743555","name":"@Mail Open webmail client contains multiple vulnerabilities","keywords":["AtMail","@Mail","cwe-200","cwe-73","cwe-434","cwe-23"],"overview":"The @Mail Open 1.04 webmail client contains multiple vulnerabilities including; unrestricted upload of file with dangerous type (CWE-434), relative path traversal (CWE-23), external control of file name or path (CWE-73), and information exposure (CWE-200).","clean_desc":"The @Mail Open 1.04 webmail client contains multiple vulnerabilities including the following. CWE-434: Unrestricted Upload of File with Dangerous Type\nAn attacker can upload files attached to email letters with dangerous types, such as, .php. This vulnerability can be exploited to upload a backdoor php shell. CWE-23: Relative Path Traversal\nThe compose.php script contains a directory traversal vulnerability. An example is below: hxxps://localhost/compose.php?func=renameattach&unique=/..././..././..././..././..././..././..././..././..././..././..././..././tmp/positive.test%00&Attachment[]=/../../../../../../../../../etc/passwd CWE-73: External Control of File Name or Path\nThe compose.php and SendMsg.php scripts can be exploited with the directory traversal attack to copy any file on the system. An example is below: hxxps://localhost/compose.php?func=renameattach&unique=1.txt%00&Attachment[]=/../../../../../../../../../etc/passwd As a result, the file will be available at: hxxps://localhost/tmp/username@host.com/username@host.com-1.txt The mime.php script can be exploited with the directory traversal attack to read any file on the system. An example is below: hxxps://localhost/mime.php?file=%0A/../../../../../../../../../etc/passwd&name=positive.html CWE-200: Information Exposure\nThe info.php script calls the phpinfo() function that my display sensitive system configuration information. Additional details may be found in Positive Technologies' PT-2011-48 advisory.","impact":"A remote attacker may be able to read and write to arbitrary files on the system. A backdoor shell may also be uploaded to an affected system.","resolution":"Apply an Update\n@Mail Open 1.05 has been released to address these vulnerabilities.","workarounds":"","sysaffected":"","thanks":"Thanks to \nSergey Scherbel\n of Positive Technologies for reporting these vulnerabilities.","author":"This document was written by Jared Allar.","public":["http://atmail.org/download.php","http://en.securitylab.ru/lab/PT-2011-48","http://cwe.mitre.org/data/definitions/200.html","http://cwe.mitre.org/data/definitions/73.html","http://cwe.mitre.org/data/definitions/434.html","http://cwe.mitre.org/data/definitions/23.html"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2012-02-06T20:09:58Z","publicdate":"2012-03-22T00:00:00Z","datefirstpublished":"2012-03-22T13:23:33Z","dateupdated":"2012-03-28T12:20:07Z","revision":28,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"1","cam_exploitation":"4","cam_internetinfrastructure":"4","cam_population":"4","cam_impact":"11","cam_easeofexploitation":"12","cam_attackeraccessrequired":"15","cam_scorecurrent":"1.3365","cam_scorecurrentwidelyknown":"4.158","cam_scorecurrentwidelyknownexploited":"6.534","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"M","cvss_authentication":null,"cvss_confidentialityimpact":"P","cvss_integrityimpact":"P","cvss_availabilityimpact":"P","cvss_exploitablity":null,"cvss_remediationlevel":"OF","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"ND","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"6","cvss_basevector":"AV:N/AC:M/Au:S/C:P/I:P/A:P","cvss_temporalscore":"4.7","cvss_environmentalscore":"4.7","cvss_environmentalvector":"CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND","metric":1.3365,"vulnote":null}