|
Description
|
|
Multiple vulnerabilities have been discovered in AtMail Open, which can be exploited by malicious users to disclose sensitive information, manipulate certain data, and compromise a vulnerable system and by malicious people to conduct cross-site scripting attacks.
1) Input passed to the "func" parameter in ldap.php and search.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
2) Input passed via the "file" parameter to mime.php is not properly verified before being used to read files. This can be exploited to disclose the contents of arbitrary files from local resources via directory traversal sequences.
3) Input passed via the "unique" parameter to compose.php (when "func" is set to "renameattach') is not properly verified in libs/Atmail/SendMsg.php before being used to copy files. This can be exploited to overwrite arbitrary files via directory traversal sequences and URL-encoded NULL bytes.
4) Input passed via the "Attachment" parameter to compose.php (when "func" is set to "renameattach') is not properly verified in libs/Atmail/SendMsg.php before being used to copy files. This can be exploited to disclose the contents of arbitrary files from local resources via directory traversal sequences.
5) An error in the "add_attachment()" function in the libs/Atmail/SendMsg.php script does not validate the extension of an uploaded file, which can be exploited to e.g. upload and execute arbitrary PHP files.
The vulnerabilities are confirmed in version 1.04. Other versions may also be affected.
|
