lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: 24 Apr 2010 17:31:37 -0000
From: eidelweiss@...erservices.com
To: bugtraq@...urityfocus.com
Subject: Madirish Webmail 2.01 (basedir) RFI/LFI Vulnerability

Madirish Webmail is prone to Multiple vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker can exploit these vulnerabilities to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.

There is a vulnerability in almost every file directory of Madirish Webmail v2.01.
Vendor fix the vulnerability in version 2.0 and update to v2.0.1
But vendor not perfectly fix the vulnerability , they just edit the code to handle Remote file inclusions,
but as we see still have RFI vulnerability and now i see possible LFI there.

Attackers can exploit these issues via a browser.

The following example is available:

========================================================================
 
	-=[ P0C RFI ]=-

	http://127.0.0.1/Madirish_Webmail/lib/addressbook.php?basedir= [sh3ll inj3ct0r]

	-=[ P0C LFI ]=-

	http://127.0.0.1/Madirish_Webmail/index.php?basedir= [LFI]%00

	etc, etc, etc

========================================================================

Solution: Fix / Edit the code or update to new version if available, Example:

*/
require_once($basedir."lib/sql.php");	// change into require_once("Madirish_Webmail/lib/sql.php");
require_once($basedir."lib/html.php");	// change into require_once("Madirish_Webmail/lib/html.php");

=========================| -=[ E0F ]=- |=================================

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ