-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Full details of this report are available at: http://www.madirish.net/?article=466 A recent code audit of the NuralStorm Webmail system revealed a number of serious vulnerabilities. If you are using NuralStorm please review the following vulnerability report. It is recommended that you restrict access to any NuralStorm installations immediately and disable NuralStorm if possible. There is currently no patch or work around for the vulnerabilities described below. Description of Vulnerability: - ----------------------------- NuralStorm Webmail is an Open Source web based e-mail client written in PHP. NuralStorm is distributed from http://www.nuralstorm.net/. NuralStorm Webmail contains a cross site scripting (XSS) vulnerability because it fails to sanitize output of HTML e-mail before display. This vulnerability is particularly dangerous because NuralStorm keeps login credentials stored in cookie values. This combination of vulnerability and architecture means that attackers can steal login credentials via JavaScript injection into mail sent to targeted users. NuralStorm contains multiple stored XSS vulnerabilities in the addressbook functionality because nickname and e-mail address values are not sanitized before display. NuralStorm contains an arbitrary file upload vulnerability because it fails to sanitize the value of variables stored in client side cookies (COOKIE_SESSSION) before using these variables to determine upload locations. This vulnerability could allow attackers who can compose messages to upload arbitrary PHP to the NuralStorm server to directories that are writable by the web server. NuralStorm is also vulnerable to numerous cross site request forgery (XSRF) attacks because forms for input do not have any protection mechanisms, such as one time tokens, implemented. NuralStorm contains an information disclosure vulnerability because it does not sanitize input to the book.php page. Attackers requesting a URL could expose the addressbook of the valid system users. NuralStorm contains a reflected XSS vulnerability in book_include.php because it fails to sanitize the BGCOLOR parameter before it is included in the page display. Attackers can exploit this vulnerability via URL. NuralStorm contains an arbitrary file deletion vulnerability in maintenance.php. Attackers can use URL variables to cause the web server to delete arbitrary files. NuralStorm allows arbitrary email to be relayed via problems.php without authentication. This vulnerability can be exploited via maliciously crafted URL parameters. NuralStorm settings.php contains an unauthenticated arbitrary file write vulnerability. Attackers can use this vulnerability to write arbitrary PHP to directories writable by the web server. This vulnerability could be used to inject PHP shell backdoors. Systems affected: - ----------------- NuralStorm 0.985 b was tested and shown to be vulnerable. Impact - ------ Highly critical. Attackers could use XSS in message sent to victims to perform all of the attacks described above, including the arbitrary file upload attack. Using the proof of concept below unauthorized attackers can write arbitrary PHP with privileges of the web server. This could lead to PHP shell injection and web server compromise. A denial of service threat exists where the web server has access to delete files. XSS attacks could reveal credentials as these are stored unencrypted in cookies. Because NuralStorm uses account credentials for POP/IMAP authentication these credentials are likely to provide shell access (SSH or Telnet), therefore credential exposure could provide shell access. Vendor Response - --------------- Contact attempts with vendor have been unsuccessful, emails to all published contacts (including domain registrants) bounced. The project was last updated nearly 8 years ago so it is reasonable to assume that it has been abandoned. - -- Justin C. Klein Keane http://www.MadIrish.net The digital signature on this message can be confirmed using the public key at http://www.madirish.net/gpgkey -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iPwEAQECAAYFAkw7BQQACgkQkSlsbLsN1gAy3gb+JT0KxlQY4V5ToJJmURd7s/HB mg0ombm/M97rsMwZokCO2Kz5he/HMXWeDm6eOYP+F12CDjjK6gn40Z/TccCn7WV2 uzrUQIVKxKxPbArpYcVogN7VMwhTLa3BNwRf3ZwyaWedvkFFUKLdbdkQbIXnUeyr 4wj5Dpbp1yvtOnaKtUeVXZGn2r2Xokc6INw9CYvazzol+nlbfCgvRXYmTT8EWZLT GOAkIWPynKip+MEJJkTbrDgE5r08NgkdL18MTLC0Im5kqoLb6tWeAc9YAZn28yYy ZHi8T3KJv+ZD8IUCvzc= =dSOs -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/