1. Introduction
The Atmail WebMail application, version 5.6.1 (5.61) and potentially earlier, contains multiple cross-site scripting (XSS) vulnerabilities within the ‘webadmin/admin.php’ file. These flaws allow attackers to inject malicious scripts into web pages viewed by users, potentially leading to stolen authentication credentials or other sensitive information. This affects systems running Atmail WebMail, particularly those exposed to external networks. A successful exploit could compromise confidentiality and integrity of user accounts.
2. Technical Explanation
The vulnerability stems from insufficient input validation in the ‘webadmin/admin.php’ script when handling the ‘func’ and ‘type’ parameters. When ‘func’ is set to ‘stats’, the ‘type’ parameter also becomes vulnerable. This allows an attacker to inject arbitrary JavaScript code that will be executed in a user’s browser. CVE-2009-2455 details this issue.
- Root cause: The application fails to properly sanitize user-supplied input for the ‘func’ and ‘type’ parameters within ‘webadmin/admin.php’.
- Exploit mechanism: An attacker crafts a malicious URL containing injected script code in the ‘func’ or ‘type’ parameter, then tricks a user into visiting that URL. For example,
http://example.com/webadmin/admin.php?func=stats&type= - Scope: Atmail WebMail versions up to and including 5.6.1 (5.61) are affected. Previous versions may also be vulnerable.
3. Detection and Assessment
Confirming vulnerability requires checking the installed version of Atmail WebMail and potentially testing for the XSS flaw.
- Quick checks: Check the Atmail WebMail version via the web interface (usually in ‘Help’ or ‘About’).
- Scanning: Nessus plugin ID 34762 can detect this vulnerability as an example.
- Logs and evidence: Examine web server access logs for requests to ‘webadmin/admin.php’ with suspicious parameters like ‘func=stats’ and unusual characters in the ‘type’ parameter.
# No direct command available, check version via web interface4. Solution / Remediation Steps
Currently there is no known solution for this vulnerability. Mitigation focuses on limiting exposure and monitoring.
4.1 Preparation
- There are no direct service dependencies to stop for this assessment, but monitor system performance during testing. Rollback involves restoring from backup or snapshot.
- Change windows may be required depending on business impact and user activity. Approval should come from IT Security.
4.2 Implementation
- Step 1: Implement a Web Application Firewall (WAF) rule to block requests containing suspicious script code in the ‘func’ or ‘type’ parameters of ‘webadmin/admin.php’.
- Step 2: Monitor web server logs for any attempts to exploit this vulnerability.
4.3 Config or Code Example
Before
# No code example available as there is no patch. This shows the vulnerable URL structure: http://example.com/webadmin/admin.php?func=stats&type=After
# WAF rule example (syntax varies by vendor): Block requests to /webadmin/admin.php containing