Re: Security problems with TWIG webmail system

[Geoff Martin <geoff () BROCKU CA>]

> > Twig is a popular webmail system written in
PHP,  once called Muppet.
> > Author: Christopher Heschong
> > Homepage: http://twig.screwdriver.net
> > Version: 2.5.1 ( latest )
> > Problem: The possibility of processing our own
php file , can leed to
> > arbitrary command execution on the server as
the httpd user.
> I'll refrain from the usual comments about
disclosure of vulnerability
> information without fix details. As a short term
fix try the following:
> Simply add:
>     unset($config);
>     unset($vhosts);
> at the top of config/config.inc.php3
>
> Also add:
>     unset($dbconfig);
> at the top of config/dbconfig.inc.php3 for good
measure.
> Please note that this vulnerability is only
exploitable if the URL fopen
> wrappers functionality is compiled in (it is by
default) and the script
> isn't being run on the windows platform (Windows
does not support Remote
> Files functionality in include() statements).

Another option... in index.php3, replace the line:

if( $vhosts[$SERVER_NAME] )

with:

if( $vhosts[$SERVER_NAME] &&
!isset($HTTP_GET_VARS[vhosts]) )

This essentially checks to make sure that the
vhosts element was defined locally (in
config/config.inc.php3), not in the URL.

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Geoffrey W. Martin             Unix Support Group
System Administrator             Brock University
                          St. Catharines, Ontario
geoff () spartan ac BrockU CA                 Canada
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=