Twig Remote Arbitrary Script Execution Vulnerability

Twig is a popular web-based email system written in PHP3. Version 2.5.1 and possibly earlier versions of Twig contain a vulnerability that may allow a remote attacker to gain local access to the webserver on which it is installed with httpd privileges.

One of Twig's component scripts, index.php3, uses a variable called vhosts[], containing entries for each virtual host on the webserver. It is referenced in index.php3 when loading "include" PHP3 scripts, which will be interpreted and executed when loaded.

Unfortunately, this variable isn't initialized before it is referenced, making it possible for an attacker to remotely set its value to an arbitrary host. When index.php3 references values in this variable it will find the one set remotely by the attacker. The script will then attempt to retrieve a php3 include file from the host in the vhosts[] variable.

If this host serves valid php3 include files as requested by index.php3, the script will be loaded and its contents interpreted/executed.


Privacy Statement
Copyright 2010, SecurityFocus