Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Security problems with TWIG webmail system

From: "Glover, Mike" <webmaster () DULUOZ NET>
Date: Wed, 29 Nov 2000 15:24:41 -0800

Another option... in index.php3, replace the line:

if( $vhosts[$SERVER_NAME] )

with:

if( $vhosts[$SERVER_NAME] &&
!isset($HTTP_GET_VARS[vhosts]) )


   This will just make it slightly more difficult to exploit the
bug -- you've still got HTTP_POST_VARS and HTTP_COOKIE_VARS to
check.  Perhaps something like this:

function fetchlocalvar ($varname) {

  if ( $$varname        
     && ! isset($HTTP_GET_VARS[$varname]
     && ! isset($HTTP_POST_VARS[$varname]
     && ! isset($HTTP_COOKIE_VARS[$varname] )
  {
    return $$varname;
  }

  return NULL;
}

and use it like this:

  if ( $vhosts = fetchlocalvar("vhosts") ) {
    ...
  }


-mike





This essentially checks to make sure that the
vhosts element was defined locally (in
config/config.inc.php3), not in the URL.

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Geoffrey W. Martin             Unix Support Group
System Administrator             Brock University
                          St. Catharines, Ontario
geoff () spartan ac BrockU CA                 Canada
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=




--

Mike Glover                            webmaster () duluoz net
Duluoz Networks                        http://www.duluoz.net
Previous By Date Next
Previous By Thread Next

Current thread: