help centre
For more info visit status.atmail.com

How can we help?


Search our knowledge base for answers to
common questions and latest updates.



My activities New request

Follow

Security Update 7.5.0.2

Stewart -

Release overview

Release Date: 10 Feb 2015
Release Versions: On-Premises v7.5.0.2

Please Note:
Version 7.5.0.2 contains security fixes for the atmail 7.5.0 release. For full details on the atmail 7.5.0 release, click here.

Defect Fixes

Component/s ImpactedImpact CategoryIssue OutlineImpact Description / New User ExperianceUser/s Impacted
 Email, Email - Attachments, Web User Interface. Security Stored XSS in Received email.

If user receives an email with an image attachment, when user clicks on the image, the applications allows the browser to render the image instead of prompting download option.Therefore, if the user receives an image attachment with stored XSS, when user clicks on the attachment name, the script will be executed.

Resolution is to force download ALWAYS.

End users who use the web user interface.

Storage, Web User Interface. Security Reflected Self-XSS - Webdav File upload.

When user uploads a file to Web UI >> Storage, if name of uploaded file consist of html/js payload, it will be executed while uploading. Attacker would need to induce user to upload crafted file.  

Resolution: Filter characters that maybe part of HTML/JS elements from within the file name.

End users who use the web user interface.
Calendar, Calendar Events, Web User Interface. Security Reflected XSS - Calendar Popup. When an attacker knows proper values for contextid, event id, and relative_href for a specific users calendar event, "Edit Event" request can be exploited. End users who use the web user interface.
Contacts, Import/Export Contacts, Web User Interface. Security CSRF - Add Contact. Security vulnerability that allows an attacker to exploit Web UI >> Contacts >> Import function to add contacts to a compromised user's address book. End users who use the web user interface.
Contacts, Web User Interface. Security CSRF - Add Photo to Contact. Security vulnerability that allows an attacker to exploit Web UI >> Contacts >> Edit Contact Image function to add contact images to a compromised user's address book. End users who use the web user interface.
Mobile/Accessibility User Interface, User - Settings. Security Mobile UI - CSRF - Change account settings. Security vulnerability that allows an attacker to exploit Mobile UI >> Edit User Settings function to change compromised user's user settings. End users who use the mobile/accessibility user interface.
Calendar, Calendar Events, Mobile/Accessibility User Interface. Security Mobile UI - CSRF - Add Event do Calendar.

Security vulnerability that allows an attacker to exploit Mobile UI >> Calendars >> Create Calendar Event function to add calendar events to a compromised user's calendar.

End users who use the mobile/accessibility user interface.
Email, Mobile/Accessibility User Interface. Security Mobile UI - CSRF via XSS - Send email. Security vulnerability that allows an attacker to exploit Mobile UI >> Email >> Send email function to send emails on behalf of the compromised user. End users who use the mobile/accessibility user interface.
Email - Attachments, Mobile/Accessibility User Interface, Web User Interface. Security Send attachment Mime-type in headers when user clicks on attachment to download.

Currently when user clicks on an email attachment, browser decides the type of the attachment and recommends an available application to open.

With this change, the atmail application will specify the MIME Type of the attachment, so that browser's download option window will provide recommendations based on MIME type sent in headers, rather than browser detected type.

NOTE: Certain old android browsers may NOT be compatible with this change. Application will automatically detect android and dolphin mobile browsers and disable sending MIME types. Further, this can be globally disabled by changing the config option 'send_mime_types'

End users who use the web user interface.
End users who use the mobile/accessibility user interface.

Server Installation / Server Install Script Functionality Change the Spam Assassin update panel to use the default SA mirror instead of atmail mirror for SA.

Currently SA update panel use the atmail SA mirror to perform SA update during atmail server install. Currently atmail SA mirror is not accessible.

Resolution: Change the Spam Assassin update panel to use the default SA mirror.

System administrators who installs atmail server.

Have more questions? Submit a request

Comments


Contact our support team


+61 (7) 5357 6605       support@atmail.com