Instant Web Mail additional POP3 commands and mail headers PROGRAM: Instant Web Mail VENDOR: Jonas Koch Bentzen (jonas@understroem.dk) HOMEPAGE: http://understroem.dk/instantwebmail/ VULNERABLE VERSIONS: 0.59 (possibly earlier versions too) TYPE: remote/local SEVERITY: medium DESCRIPTION: "Instant Web Mail is a Web-based POP mail client written in PHP. It is incredibly simple to install, but it is nevertheless an advanced program." (direct quote from the program's project page at Freshmeat) It has got features like reading/sending attachments, viewing both text/plain and text/html messages, decoding national characters in mail headers, you can choose between several languages and themes, it is customizable etc. The program is published under the terms of the GNU General Public License. ISSUES: 1) The function command(), which sends a POP3 command to a POP3 server, allows embedded CR and LF characters. Nowhere in the program does those characters get stripped in user input before it is sent to that function. This means that we can include additional POP3 commands in user requests. The program also converts URL's in e-mail messages to links. This makes it easy for an evil person to send a link to a user, and for that user to visit it. He or she may then be redirected from the evil server back to a page at his or her Instant Web Mail installation. If the evil server passes an additional POP3 command for deleting a mail in the URL that it redirects to, Instant Web Mail will then show the user one mail while deleting another one! One example of such a URL to redirect to would be: http://www.userhost.se/instantwebmail/message.php?id=1%0D%0ADELE+2&; 2) The mail sending script write.php allows embedded CR and LF characters in the user input that makes up mail headers like From, To, Cc, Bcc, Subject and X-Priority. This can be used for adding uuencoded attachments up in the headers with lines ending in CR instead of CRLF, as previously discussed here on Bugtraq. This issue can be exploited by simply saving Instant Web Mail's HTML page for writing mails, and changing some text fields to textareas. COMMUNICATION WITH VENDOR: The vendor was contacted on the 14th of March. We discussed these issues for a few days. Version 0.60, which is not vulnerable to any of these issues, was released on the 17th of March. RECOMMENDATION: I recommend that all users upgrade to version 0.60 immediately. // Ulf Harnhammar metaur@prontomail.com
