[21385] in bugtraq
basilix bug
daemon@ATHENA.MIT.EDU (karol _)
Sat Jul 7 15:30:07 2001
From: "karol _" <su@poczta.arena.pl>
To: bugtraq@securityfocus.com
Cc: arslanm@Bilkent.EDU.TR
Message-ID: <1fb8c2e127156a4d.27156a4d1fb8c2e1@poczta.arena.pl>
Date: Fri, 06 Jul 2001 21:04:55 +0200
MIME-Version: 1.0
Content-Language: pl
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
+--------------------------------------+
| Basilix Webmail System Vulnerability |
+--------------------------------------+
Release Date :
13:49, 6 July 2001
Version Affected :
Basilix Webmail System 1.0.2beta
Basilix Webmail System 1.0.3beta
Description :
basilix lunches a file which name is read from an array request_id.
from basilix.php3 :
$file = $request_id["$RequestID"];
if($file == "") exit();
include($BSX_FILESDIR . "/" . $file);
so we could change it very easy, but in file lang.inc which is added
earlier in basilix.php3 there is a function which checks the RequestID
variable so we can not pass for example request_id[BLAH]=/etc/passwd.
But there is one hole in it and we can pass
request_id[DUMMY]=whatever_we_want and it will not fail. In effect
attacker can read any file in system ( if she/he has permission ) and
can 'execute' php files.
Example Exploit :
http://beta.basilix.org/basilix.php3?request_id[DUMMY]=../../../../etc/passwd&RequestID=DUMMY&username=blah&password=blah
Solutions:
remove DUMMY from lang.inc. it disallow to pass file names to include in
request_id[DUMMY].
the author already knows about this bug and he prepared a quick fix on
www.basilix.org.
Karol Wiêsek - su <su@poczta.arena.pl>
