Mail injection through WebMail applications

You are in: Articles / Security / Mail injection through WebMail applications
Articles & tutorials Backup & Archiving Email Clients Mobility Operating Systems Reporting Tools Security Antispam Antivirus Reports Server Administration Smart Setups Clustering Virtualization Studies & Benchmarks Support Services Web Integration Messaging news Axigen Presents Itself as a Fully Grown Messaging and Collaboration Platform with Version 8 Bucharest, Romania – March 31, 2011 – Axigen... Axigen Enters Indonesia through MTI Bucharest, Romania - February 17, 2011 - Axigen... Experience the Axigen Ajax WebMail with Calendars, Tasks and Notes The Axigen Team (http://www.axigen.com) has added calendars, to do... Upcoming events Switching from Free Open... AXIGEN (www.axigen.com), the professional messaging solution...	Mail injection through WebMail applications Submited by cheatman, on 2007-12-01, in Security IMAP Injection Supposedly, if the link: http://<webmail-addr>/show_email.php?m_id=8 would display the eighth message in the current folder, then simply replacing the number in the URL would result in displaying the message with the corresponding number. This is the intended behavior of the application. The actual command to retrieve the eighth message that would be set to the server would be: FETCH 8 BODY[HEADER] It is very clear what the variable replaces. If we change the variable itself we get: FETCH + <variable> + BODY[HEADER] To perform a code injection into the mail server, such as two fetch operations instead of one, we would need to run these commands on the mail server IMAP service: FETCH 8 BODY[HEADER] ? FETCH 7 BODY[HEADER] Starting from the same basic replacement pattern above, we can conclude that the URL required to access two e-mails at once is: http://<webmail-addr>/show_email.php?m_id=8 BODY[HEADER]%0d%0a? FETCH 7 This particular example makes use of a very handy string inside the actual URL. "%0d%0a" is the newline character (CRLF - carriage-return and line-feed). This character is always required while issuing multiple line commands. In truth, code injection is very rarely used without spanning the code injected over multiple lines. Tags: applications, exploit, IMAP, IMAP SMTP, injection, mail, mail server, mail, webmail, SMTP, mail server, applications, IMAP, server, IM, security, server, SMTP, webmail comments (0) \| email this \| \| printable version Rating: « Previous page Page 2 of 4 Next page » Leave a comment Full Name * E-mail * URL: Note: all fields marked with (*) are required Comments (0) To: Subject: Body: Verification code:	Why Register? Already a member? Blacklist monitoring alerts Signup for our real-time monitoring service and receive email notifications each time one of your IPs gets blacklisted. Mail Server Operating System Poll .01 What OS do you use for your email server? Linux Windows Other .02 How many mailboxes do you currently manage? 1-50 51-300 300+ .03 Would you like to comment upon the choosing of this particular OS? DNS Tools Get IP status, owner and location, obtain its corresponding hostname or check specific ports. Ping Statistics Reverse DNS Lookup Whois Info (IP owner) GeoIP Information Check Port Open Relay Test Test if your mail server is an open relay for spammers. Blacklist Checker Check if your IP is listed in DNS based email blacklists (DNSBL)