DirectoryTree ImapEngine IMAP Command Injection Vulnerability

A command injection vulnerability has been identified in the DirectoryTree ImapEngine package, specifically in versions prior to 1.22.3. The issue arises in the id() function within ImapConnection.php, where user input is not properly escaped before being included in IMAP ID commands. This flaw allows attackers to inject arbitrary IMAP commands by exploiting the input with quote characters or CRLF sequences. As a result, attackers could read or delete a victim's emails, terminate their session, or execute any valid IMAP command on their mailbox.

Impact

Exploitation of this vulnerability allows for IMAP command injection, where an attacker can execute arbitrary IMAP commands on the victim's mailbox. This includes reading or deleting emails, terminating the victim's email session, or any other action that can be performed via IMAP commands.

Reproduction

To reproduce this vulnerability, create an account on a web application that uses DirectoryTree ImapEngine version prior to 1.22.3. Navigate to the settings and find the 'Client Name' field. Submit a payload that includes CRLF sequences and IMAP commands, such as 'LOGOUT' or 'FETCH' commands. The injected commands will be executed by the IMAP server, demonstrating the command injection vulnerability.

Remediation

Upgrade to DirectoryTree ImapEngine version 1.22.3 or later.