[41717] in bugtraq
Re: Fullpath disclosure in roundcube webmail
daemon@ATHENA.MIT.EDU (Steven M. Christey)
Sat Dec 17 19:32:26 2005
Date: Sat, 17 Dec 2005 18:43:28 -0500 (EST)
Message-Id: <200512172343.jBHNhS5d012179@cairo.mitre.org>
From: "Steven M. Christey" <coley@mitre.org>
To: king_purba@yahoo.co.uk
Cc: bugtraq@securityfocus.com
>I try this request in my mailbox
>http://xxxx.com/roundcube/?_auth=3Dcf559dcf52d8801ccd51cd1f3ba3eca08d1b0
>bce= &_task=3Dma%60il then roundcube shows this warning
For the 3 people who might care about the distinction (e.g. vuln DBs
who exclude path disclosure), this appears to be a custom error
message, not one generated by PHP, and therefore a design choice by
the developer.
Notice that in the URL above, the "_task" parameter has the value
"ma`il" - an invalid value.
roundcube appears to perform some validation of the value, then giving
a verbose error message when the validation fails.
Near the end of index.php we have:
> // only allow these templates to be included
> $valid_tasks = array('mail','settings','addressbook');
>
> // parse main template
> if (in_array($_task, $valid_tasks))
> parse_template($_task);
>
>
> // if we arrive here, something went wrong
> raise_error(array('code' => 404,
> 'type' => 'php',
> 'line' => __LINE__,
> 'file' => __FILE__,
> 'message' => "Invalid request"), TRUE, TRUE);
So __FILE__ is part of the error message, which is inserted into a
text template. The relevant code is in program/steps/error.inc and
program/include/bugs.inc.
This is based on source analysis of roundcubemail-0.1-20051021.
- Steve
