RES: Basilix Webmail System *.class *.inc Permission Vulnerabilit y

[Erick Johny Maciel Bol <Erick.Bol () AMAZONIACELULAR COM BR>]

"This is not a bug, is a feature..."
This is NOT realy a bug, but a misconfiguration that afect **EVERY** web
server that suports a script language (like PHP, ASP, Cold Fusion or
others).
Example: You have Apache with PHP and configure ONLY the .php extension to
be interpreted by the PHP engine; if you use one file with .php4 extension
(or .inc, .class or another) as "include file", this is a potencial problem
if you have typed valuable information in these files, as database
connection, services running or installed, network topology and others.
The problem for explore this misconfiguration is know the name of the files
used as "include files" as they don´t appear in the interpreted script that
calls the "include file"
Workarounds for the web admin: list every file extensions used as "script
files" and "include files" in the web server and verify if they are
configured. These files can´t be acessed by other network service (as ftp or
nfs) or local. And don´t forget the permission of the files...
Workaround for the script writers: if your script uses uncommon extensions,
include that information in the documentation, with the configuration method
for the web server.
PS: Sorry for the (I think) poor english :-(

Erick Bol
Analista de suporte
Serviços ao Cliente
Amazônia Celular
Celular: (91)9983-5555

> ----- Mensagem original -----
> De:           Tamer Sahin [SMTP:feedback () TAMERSAHIN NET]
> Enviada em:           quinta-feira, 11 de janeiro de 2001 21:33
> Para:         BUGTRAQ () SECURITYFOCUS COM
> Assunto:              Basilix Webmail System *.class *.inc Permission
> Vulnerability
>
> ---------------------------------------------------
> tamersahin.net Security Solutions Announcement
> ---------------------------------------------------
>  
> Basilix Webmail System *.class *.inc Permission Vulnerability
>  
>  
> Release Date:
> January 12, 2001
>  
>
> Version Affected:
> Basilix Webmail System 0.9.7beta
>  
>
> Description:
> There is a simple mistake in the Basilix Webmail system. If .class file
> extension is not defined as a PHP script at the httpd.conf any attacker
> may see very valuable information by simply enterering the URL : 
>  
> <http://victim.host/mysql.class>
>  
> MySQL password and username is stored in this file. 
>  
>
> Example Exploit:
>  
> <http://<>running-basilix>/class/mysql.class
>  
> <http://<>running-basilix>/inc/sendmail.inc (settings.inc and etc.)
>  
>
> Solutions:
> Class and inc file extensions should be defined as PHP files and shouldn'
> t be given read permissions from outside. Obviously, MySQL port should
> also be filtered from remote connects.
>
> Regards;
>
> Tamer Sahin
> <http://www.tamersahin.net>
> feedback () tamersahin net <mailto:feedback () tamersahin net> 
>
> "Every blows that don't kill me make me stronger."