====================================================================== Secunia Research 14/02/2006 - NeoMail neomail-prefs.pl Missing Session ID Validation - ====================================================================== Table of Contents Affected Software....................................................1 Severity.............................................................2 Description of Vulnerability.........................................3 Solution.............................................................4 Time Table...........................................................5 Credits..............................................................6 References...........................................................7 About Secunia........................................................8 Verification.........................................................9 ====================================================================== 1) Affected Software * NeoMail 1.28 Other versions may also be affected. ====================================================================== 2) Severity Rating: Moderately Critical Impact: Security bypass Where: Remote ====================================================================== 3) Description of Vulnerability Secunia Research has discovered a vulnerability in NeoMail, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to missing validation of the Session ID in the "addfolder()" and "deletefolder()" functions in neomail-prefs.pl. This can be exploited to create mail-folder files in arbitrary directories writable by the mail group (e.g. in users' /var/neomail/users NeoMail directories), and to delete mail-folder files created by arbitrary users if the names of the folder files are known. Successful exploitation requires that NeoMail is configured with $homedirfolders = 'no' and $homedirspools = 'no' ====================================================================== 4) Solution Update to version 1.29. ====================================================================== 5) Time Table 10/02/2006 - Initial vendor notification. 10/02/2006 - Initial vendor reply. 14/02/2006 - Public disclosure. ====================================================================== 6) Credits Discovered by Tan Chew Keong, Secunia Research. ====================================================================== 7) References NeoMail: http://sourceforge.net/project/shownotes.php?release_id=392562&group_id=2874 ====================================================================== 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: https://www.flexera.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: https://www.flexera.com/secunia_security_advisories/ ====================================================================== 9) Verification Please verify this advisory by visiting the Secunia website: https://www.flexera.com/about-us/secunia-research/advisories/sr-2006-3.html Complete list of vulnerability reports published by Secunia Research: https://www.flexera.com/about-us/secunia-research/advisories/ ======================================================================