6717967 2001-07-06 21:04 +0200 /56 rader/ karol _ <su@poczta.arena.pl> Sänt av: joel@lysator.liu.se Importerad: 2001-07-07 21:33 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Extern kopiemottagare: arslanm@Bilkent.EDU.TR Mottagare: Bugtraq (import) <17836> Ärende: basilix bug ------------------------------------------------------------ From: "karol _" <su@poczta.arena.pl> To: bugtraq@securityfocus.com Cc: arslanm@Bilkent.EDU.TR Message-ID: <1fb8c2e127156a4d.27156a4d1fb8c2e1@poczta.arena.pl> +--------------------------------------+ | Basilix Webmail System Vulnerability | +--------------------------------------+ Release Date : 13:49, 6 July 2001 Version Affected : Basilix Webmail System 1.0.2beta Basilix Webmail System 1.0.3beta Description : basilix lunches a file which name is read from an array request_id. from basilix.php3 : $file = $request_id["$RequestID"]; if($file == "") exit(); include($BSX_FILESDIR . "/" . $file); so we could change it very easy, but in file lang.inc which is added earlier in basilix.php3 there is a function which checks the RequestID variable so we can not pass for example request_id[BLAH]=/etc/passwd. But there is one hole in it and we can pass request_id[DUMMY]=whatever_we_want and it will not fail. In effect attacker can read any file in system ( if she/he has permission ) and can 'execute' php files. Example Exploit : http://beta.basilix.org/basilix.php3?request_id[DUMMY]=../../../../etc/passwd&RequestID=DUMMY&username=blah&password=blah Solutions: remove DUMMY from lang.inc. it disallow to pass file names to include in request_id[DUMMY]. the author already knows about this bug and he prepared a quick fix on www.basilix.org. Karol Wiêsek - su <su@poczta.arena.pl> (6717967) /karol _ <su@poczta.arena.pl>/--(Ombruten)