AtMail 5.41 - remotely download atmail/ directory, which includes the database config, and the admin user's password hash


After installing AtMail 5.41, the file build-plesk-upgrade.php exists in the remotely accessible atmail/ directory. When that script is executed, it creates the following 2 files:

-rw-r--r--  1 nobody nobody 101754880 Jul 30 17:26 files.tar
-rw-r--r--  1 nobody nobody  27162656 Jul 30 17:26 plesk-atmail-upgrade.tgz

files.tar is a tarball of the entire atmail/ directory. plesk-atmail-upgrade.tgz is the gzipped files.tar file.


Any remote, unauthenticated person can send a GET request to build-plesk-upgrade.php, and once it finished running, that person can download files.tar or plesk-atmail-upgrade.tgz and obtain the Atmail database configuration, to include db name, db username, and db password. Also included is the admin user's .htpasswd file which contains the admin user's username and MD5 hashed password.

This issue was not reported to the vendor because the previous 2 issues were not addressed until they were made fully public - 2 months after the initial notification (the vendor later claimed to have patched within 24 hours of notification). This issue was resolved not long after being made public.