发布时间 :2002-12-31 00:00:00
修订时间 :2008-09-05 16:32:56

[原文]W3Mail 1.0.2 through 1.0.5 with server side scripting (SSI) enabled in the attachments directory does not properly restrict the types of files that can be uploaded as attachments, which allows remote attackers to execute arbitrary code by sending code in MIME attachments, then requesting the attachments.

[CNNVD]CasecadeSoft W3Mail附件泄露漏洞(CNNVD-200212-380)

        服务器端脚本(SSI)启用的W3Mail 1.0.2到1.0.5版本中的附件目录没有正确限制上载附件的文件类型,远程攻击者可以利用该漏洞通过发送带有代码的MIME附件并发出请求执行任意代码。

- CVSS (基础分值)

CVSS分值: 5.8 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-16 [配置]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BID  5314
(UNKNOWN)  XF  w3mail-mime-attachment-execution(9680)
(UNKNOWN)  BUGTRAQ  20020725 Medium security hole affecting W3Mail

- 漏洞信息

CasecadeSoft W3Mail附件泄露漏洞
中危 设计错误
2002-12-31 00:00:00 2002-12-31 00:00:00
        服务器端脚本(SSI)启用的W3Mail 1.0.2到1.0.5版本中的附件目录没有正确限制上载附件的文件类型,远程攻击者可以利用该漏洞通过发送带有代码的MIME附件并发出请求执行任意代码。

- 公告与补丁

        Upgrade to version 1.0.6.

- 漏洞信息

W3Mail Crafted MIME Attachment Upload Arbitrary Code Execution
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Private Vendor Verified

- 漏洞描述

Unless indexing for the MIME attachments directory is disabled it is possible to browse the MIME attachments directory and read arbitrary attachments. Prior to release 1.0.3, W3Mail did not correctly clean up the MIME directory, leaving the attachments there even after the user whom they belonged to has logged out. In versions 1.0.3 and more recent, providing the user correctly logs out their attachments will be removed. Note that the attachments will remain as with 1.0.3 and lower releases if the user simply closes the window rather than using the correct logout link. By sending a MIME attachment executable by the web server from the MIME attachments directory to an POP3 account accessed from the W3Mail web based POP3 client remote access as the webserver user can in theory be achieved, if the user to whom the mail is sent opens the malicious email (and thus creates the attachments within the MIME attachments directory for the lifetime explained in part 1). Whilst the attachment exists, the potential intruder can request it via their browser and therefore have it exected by the web server. The attachment must be sent as a none text MIME type in order for the malicious code to correctly be created. This part of the vulnerability will work even when directory indexing is turned off for the MIME attachments directory since attachments are created with their original name. This vulnerability can also be exploited on attachments being sent from W3Mail, although in this case the affect is reduced in versions from 1.0.3 onwards which clean the attachments directory after the mail has been sent minimizing the potential time for any attack.

- 时间线

2002-07-25 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 1.0.7 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete