Bugtraq mailing list archives

Re: Security problems with TWIG webmail system

From: João Gouveia <cercthar () TELEWEB PT>
Date: Wed, 29 Nov 2000 19:20:20 -0000

Hi ,

(snip)

Another option... in index.php3, replace the line:

if( $vhosts[$SERVER_NAME] )

with:

if( $vhosts[$SERVER_NAME] &&
!isset($HTTP_GET_VARS[vhosts]) )

This essentially checks to make sure that the
vhosts element was defined locally (in
config/config.inc.php3), not in the URL.


I think that's not a eficient fix. That or I'm seeing strange things.
Try this: index.php3?HTTP_GET_VARS=&vhosts[twig.server.tld]=test

Best regards,

Joao Gouveia aka Tharbad

Current thread:

Re: Security problems with TWIG webmail system Glover, Mike (Dec 01)
- <Possible follow-ups>
- Re: Security problems with TWIG webmail system João Gouveia (Dec 01)
- Re: Security problems with TWIG webmail system Shaun Clowes (Dec 01)
  - Re: Security problems with TWIG webmail system João Gouveia (Dec 01)
- Re: Security problems with TWIG webmail system Shaun Clowes (Dec 02)
  - Re: Security problems with TWIG webmail system Rasmus Lerdorf (Dec 02)