[17837] in bugtraq
Re: Security problems with TWIG webmail system
daemon@ATHENA.MIT.EDU (Geoff Martin)
Wed Nov 29 14:05:06 2000
Message-Id: <20001129150540.21967.qmail@securityfocus.com>
Date: Wed, 29 Nov 2000 15:05:40 -0000
Reply-To: geoff@BROCKU.CA
From: Geoff Martin <geoff@BROCKU.CA>
To: BUGTRAQ@SECURITYFOCUS.COM
> > Twig is a popular webmail system written in
PHP, once called Muppet.
> > Author: Christopher Heschong
> > Homepage: http://twig.screwdriver.net
> > Version: 2.5.1 ( latest )
> > Problem: The possibility of processing our own
php file , can leed to
> > arbitrary command execution on the server as
the httpd user.
>
> I'll refrain from the usual comments about
disclosure of vulnerability
> information without fix details. As a short term
fix try the following:
>
> Simply add:
> unset($config);
> unset($vhosts);
> at the top of config/config.inc.php3
>
> Also add:
> unset($dbconfig);
> at the top of config/dbconfig.inc.php3 for good
measure.
>
> Please note that this vulnerability is only
exploitable if the URL fopen
> wrappers functionality is compiled in (it is by
default) and the script
> isn't being run on the windows platform (Windows
does not support Remote
> Files functionality in include() statements).
Another option... in index.php3, replace the line:
if( $vhosts[$SERVER_NAME] )
with:
if( $vhosts[$SERVER_NAME] &&
!isset($HTTP_GET_VARS[vhosts]) )
This essentially checks to make sure that the
vhosts element was defined locally (in
config/config.inc.php3), not in the URL.
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Geoffrey W. Martin Unix Support Group
System Administrator Brock University
St. Catharines, Ontario
geoff@spartan.ac.BrockU.CA Canada
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
