AtMail 5.41 - world readable database config


AtMail 5.41 stores its database credentials - db username, db password, and db name - in a file at atmail/libs/Atmail/Config.php, which is world readable post-install.


Any local user can access the AtMail database, which contains the email usernames, passwords, session IDs, and more. Since this information persists in the AtMail database even after a user had logged off, email usernames and passwords of atmail users are easily obtainable.

[user@host ~]$ ls -l /usr/local/apache/htdocs/atmail/libs/Atmail/Config.php
-rw-r--r-- 1 nobody nobody 15408 Jun 17 05:50 Config.php
[user@host ~]$ egrep 'sql_(host|user|pass)' /usr/local/apache/htdocs/atmail/libs/Atmail/Config.php
'sql_host' => 'localhost',
'sql_user' => 'atmail',
'sql_pass' => '#uK*EV+gCRz@iIq',
[user@host ~]$ mysql -u atmail -p'#uK*EV+gCRz@iIq' atmail
mysql> SELECT Account,Password FROM UserSession \G
| Account          | Password   |
| | testpass   |

Now imagine seeing that output for tens, hundreds, or even thousands of users. You now have access to every email account on the box that anyone has ever used AtMail to log into. Remember - session info, such as usernames and passwords, remains in the database even after the user has logged off.

The problem of password reuse means that it is all but guaranteed that you also now have passwords to peoples' control panel accounts, perhaps even PayPal accounts, online banking accounts, etc.

Perhaps the biggest issue here is that, by default, the database user automatically chosen by the installer is "root". Though this is able to be changed at install time, lesser experienced admins who use the root mysql account (instead of creating a completely separate user for the atmail db) had their mysql root passwords now stored on their server in plain text, viewable by anyone with local access. This of course means a complete compromise of every mysql database hosted on the server.