Bugtraq mailing list archives
Re: Security problems with TWIG webmail system
From: "Glover, Mike" <webmaster () DULUOZ NET>
Date: Wed, 29 Nov 2000 15:24:41 -0800
Another option... in index.php3, replace the line: if( $vhosts[$SERVER_NAME] ) with: if( $vhosts[$SERVER_NAME] && !isset($HTTP_GET_VARS[vhosts]) )
This will just make it slightly more difficult to exploit the bug -- you've still got HTTP_POST_VARS and HTTP_COOKIE_VARS to check. Perhaps something like this: function fetchlocalvar ($varname) { if ( $$varname && ! isset($HTTP_GET_VARS[$varname] && ! isset($HTTP_POST_VARS[$varname] && ! isset($HTTP_COOKIE_VARS[$varname] ) { return $$varname; } return NULL; } and use it like this: if ( $vhosts = fetchlocalvar("vhosts") ) { ... } -mike
This essentially checks to make sure that the vhosts element was defined locally (in config/config.inc.php3), not in the URL. --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Geoffrey W. Martin Unix Support Group System Administrator Brock University St. Catharines, Ontario geoff () spartan ac BrockU CA Canada =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-- Mike Glover webmaster () duluoz net Duluoz Networks http://www.duluoz.net
Current thread:
- Re: Security problems with TWIG webmail system Glover, Mike (Dec 01)
- <Possible follow-ups>
- Re: Security problems with TWIG webmail system João Gouveia (Dec 01)
- Re: Security problems with TWIG webmail system Shaun Clowes (Dec 01)
- Re: Security problems with TWIG webmail system João Gouveia (Dec 01)
- Re: Security problems with TWIG webmail system Shaun Clowes (Dec 02)
- Re: Security problems with TWIG webmail system Rasmus Lerdorf (Dec 02)