From: Franklin DeMatto (franklin.lists@qdefense.com)
Date: Tue Nov 13 2001 - 09:56:00 CST
> >> and creation of local files with evil names (such as unwanted extensions)
> >> or properties (such as double dots in paths or x-bit on) come to mind.
> >
> >Hm, yes. This might be possible. I can't recall off the top of my head how
> >hypermail treats all file names passed to it in attachments etc.
>
> Attachment file names are filtered through the safe_filename routine,
>which insures that only characters passing this test are allowed in those
>names:
> if ((*np >= 'a' && *np <= 'z') || (*np >= '0' && *np <= '9') ||
> (*np >= 'A' && *np <= 'Z') || (*np == '-') || (*np == '.') ||
> (*np == ':') || (*np == '_')) {
> So a filename with ".." in the middle is possible, but since it doesn't
>appear that a / or \ can be put near the dots, I haven't been able to find
>a way to exploit this.
It seems like an attacker has full control over the filename, provided that
he limits himself to those characters. Nothing is to stop an attacker from
creating a .shtml attachment, and putting exec or include commands in
it. This is a major insecurity, in my opinion. Obviously, the server
should be configured to not allow SSI in the hypermail directory, but
hypermail should not rely on that.
Attackers could also use attachments to bypass the routines to clean tags
from HTML, and succeed in putting evil scripts and the like on the server.
I would suggest that the "." character be removed from the list of
acceptable characters, and possibly having hypermail append a standard
extension. This would prevent an attacker from sending .shtml and the
like, and would eliminate the possibility of a successful double dot exploit.
As for the cross site scripting, I see no solution other then an option to
disallow all attachments and MIME types other than text/plain. I did not
see this option in the docs - I'll work on adding a patch. If someone
could point out to me where the checks are made, it would save me some time
:-).
In terms of converting all < and > into < and >, could you point out
where it is done? I would like to double check that no spots are missed -
all parts of the message, including body, messageid, subject, etc. need to
be checked.
> I believe that all files created by hypermail are chmod'ed to 0644 by
>default. Altering this would require something like write access to ~/.hmrc.
Can anyone else verify that there is no way to get hypermail to write files
with a different mode?
Franklin DeMatto
Senior Analyst, qDefense Penetration Testing
http://qDefense.com
qDefense: Making Security Accessible