lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200512172343.jBHNhS5d012179@cairo.mitre.org>
Date: Sat, 17 Dec 2005 18:43:28 -0500 (EST)
From: "Steven M. Christey" <coley@...re.org>
To: king_purba@...oo.co.uk
Cc: bugtraq@...urityfocus.com
Subject: Re: Fullpath disclosure in roundcube webmail



>I try this request in my mailbox
>http://xxxx.com/roundcube/?_auth=3Dcf559dcf52d8801ccd51cd1f3ba3eca08d1b0
>bce= &_task=3Dma%60il then roundcube shows this warning

For the 3 people who might care about the distinction (e.g. vuln DBs
who exclude path disclosure), this appears to be a custom error
message, not one generated by PHP, and therefore a design choice by
the developer.

Notice that in the URL above, the "_task" parameter has the value
"ma`il" - an invalid value.

roundcube appears to perform some validation of the value, then giving
a verbose error message when the validation fails.

Near the end of index.php we have:

>   // only allow these templates to be included
>   $valid_tasks = array('mail','settings','addressbook');
>   
>   // parse main template
>   if (in_array($_task, $valid_tasks))
>     parse_template($_task);
>   
>   
>   // if we arrive here, something went wrong
>   raise_error(array('code' => 404,
>                     'type' => 'php',
>                     'line' => __LINE__,
>                     'file' => __FILE__,
>                     'message' => "Invalid request"), TRUE, TRUE);


So __FILE__ is part of the error message, which is inserted into a
text template.  The relevant code is in program/steps/error.inc and
program/include/bugs.inc.

This is based on source analysis of roundcubemail-0.1-20051021.

- Steve


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ