basilix bug

["karol _" <su () poczta arena pl>]

+--------------------------------------+
                        | Basilix Webmail System Vulnerability |
                        +--------------------------------------+

Release Date :
13:49, 6 July 2001


Version Affected :

Basilix Webmail System 1.0.2beta
Basilix Webmail System 1.0.3beta


Description :

basilix lunches a file which name is read from an array request_id. 

from basilix.php3 :

        $file = $request_id["$RequestID"]; 
        if($file == "") exit();
        include($BSX_FILESDIR . "/" . $file);


so we could change it very easy, but in file lang.inc which is added
earlier in basilix.php3 there is a function which checks the RequestID
variable so we can not pass for example request_id[BLAH]=/etc/passwd.
But there is one hole in it and we can pass
request_id[DUMMY]=whatever_we_want and it will not fail. In effect
attacker can read any file in system ( if she/he has permission ) and
can 'execute' php files.


Example Exploit :

http://beta.basilix.org/basilix.php3?request_id[DUMMY]=../../../../etc/passwd&RequestID=DUMMY&username=blah&password=blah


Solutions:

remove DUMMY from lang.inc. it disallow to pass file names to include in
request_id[DUMMY].
the author already knows about this bug and he prepared a quick fix on
www.basilix.org.



Karol Więsek - su <su () poczta arena pl>