Bluehost Webmail App.
Bluehost webmail app is a PHP script that gives you access to your Bluehost Webmail account without using a browser. This is beneficial for the everyday person who wants to check email from anywhere whether it be from their computer or another computer at an internet cafe. However, this can also be very dangerous if another user was able to gain access to the script. It could potentially allow them access to your email. If you have a website, it could even allow them access to the database that contains all of your emails and passwords.
Must Read: Bluehost Webmail
No this is not a click-bait title, I was just trying to be as catchy as possible! The fact is though, there are serious security concerns regarding this software. Not only is it a security concern that could potentially allow access to your email, but also the fact that this script requires the usage of root credentials when executing.
This information was brought to attention by [Tobias Fiebig](https://twitter.com/tobiasf), and in his blog post, he stated: “During analysis, I found out, that this script requires root access to send mail. That means if your web server is compromised by an attacker (e.g. through a 0day vulnerability in the app itself) he can use this script to send out all emails stored on your email account.”
Tobias also states “I recommend you deinstall it, but if you want to use it, you should add firewall rules that only allow access for specific IPs.”
To be clear, the issue with this script was that it uses root to execute. It is not the fact that it requires root to send the email. There is nothing wrong with running the script as a regular user, as long as you trust them not to hijack your email or send out spam from your account. With that being said, a user could modify the script and insert a backdoor for other users.
It should also be noted that this script requires MySQL to function properly. It is possible that it would work with other databases such as PostgreSQL, but I have not personally tested it out. So please do a little research on your own if you want to try and get it working with something other than MySQL.
Now let’s talk about the security implications of using this script! Again, the root is required when executing which means someone could potentially hijack your email account if they have access to the script. It would not be very difficult to modify it so that it will send out an email from your account, or create a backdoor that allows them access to everything else on your website including your database!
So far I have only found one of these scripts online, but I am sure there are many more out there since Bluehost is hosting thousands of websites. From what I can tell, it would be very difficult to find this script online since many people may not even know how to look for something like that.
I sent this information to Bluehost and they responded saying “We are currently working on removing any links that point towards the webpage containing the Webmail App.”