[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Pegasus Mail remotely exploitable security hole

Title: Pegasus Mail remotely exploitable security hole
Released by: Imran Ghory
Date: 3rd October 2000
Printable version: Click here

The default setup of Pegasus Mail contains a remotely exploitable security

hole that allows a remote website to gain copies of files on the users hard



Version tested: Pegasus Mail v3.12c with IE5.0

When the webpage containing the exploit code is viewed using IE5,

Pegasus mail will automatically creates a message which has a copy

of the file "c:\test.txt" and is addressed to "hacker@hakersite.com" and

queues it ready to be sent without any further user intervention

If instead of "hacker@hakersite.com" we have a local user,

"hacker" the message won't be queued but just sent immediately.

Exploit code:

Temporary Fix:

1) Don't run Pegasus Mail at the same time as a web browser

This is not a complete solution as Pegasus Mail will load up if the exploit

code is run, but this at least will be more noticable to the user.


As I earlier posted a message to vuln-dev giving the basics of this exploit

without the realizing the consequeces (at that stage the user had to click on

a link for the exploit to come into play), I have decided to publish the full

exploit before contacting the vendor.


Imran Ghory

(C) 1999-2000 All rights reserved.