OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: karol _ (supoczta.arena.pl)
Date: Fri Jul 06 2001 - 14:04:55 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    +--------------------------------------+
                            | Basilix Webmail System Vulnerability |
                            +--------------------------------------+

    Release Date :
    13:49, 6 July 2001

    Version Affected :

    Basilix Webmail System 1.0.2beta
    Basilix Webmail System 1.0.3beta

    Description :

    basilix lunches a file which name is read from an array request_id.

    from basilix.php3 :

            $file = $request_id["$RequestID"];
            if($file == "") exit();
            include($BSX_FILESDIR . "/" . $file);

    so we could change it very easy, but in file lang.inc which is added
    earlier in basilix.php3 there is a function which checks the RequestID
    variable so we can not pass for example request_id[BLAH]=/etc/passwd.
    But there is one hole in it and we can pass
    request_id[DUMMY]=whatever_we_want and it will not fail. In effect
    attacker can read any file in system ( if she/he has permission ) and
    can 'execute' php files.

    Example Exploit :

    http://beta.basilix.org/basilix.php3?request_id[DUMMY]=../../../../etc/passwd&RequestID=DUMMY&username=blah&password=blah

    Solutions:

    remove DUMMY from lang.inc. it disallow to pass file names to include in
    request_id[DUMMY].
    the author already knows about this bug and he prepared a quick fix on
    www.basilix.org.

    Karol WiÍsek - su <supoczta.arena.pl>