[17854] in bugtraq
Re: Security problems with TWIG webmail system
daemon@ATHENA.MIT.EDU (Glover, Mike)
Thu Nov 30 15:14:39 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20001129232441.13329.qmail@paradise.duluoz.net>
Date: Wed, 29 Nov 2000 15:24:41 -0800
Reply-To: webmaster@DULUOZ.NET
From: "Glover, Mike" <webmaster@DULUOZ.NET>
X-To: geoff@BROCKU.CA
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20001129150540.21967.qmail@securityfocus.com> from "Geoff
Martin" at Nov 29, 2000 03:05:40 PM
>
> Another option... in index.php3, replace the line:
>
> if( $vhosts[$SERVER_NAME] )
>
> with:
>
> if( $vhosts[$SERVER_NAME] &&
> !isset($HTTP_GET_VARS[vhosts]) )
This will just make it slightly more difficult to exploit the
bug -- you've still got HTTP_POST_VARS and HTTP_COOKIE_VARS to
check. Perhaps something like this:
function fetchlocalvar ($varname) {
if ( $$varname
&& ! isset($HTTP_GET_VARS[$varname]
&& ! isset($HTTP_POST_VARS[$varname]
&& ! isset($HTTP_COOKIE_VARS[$varname] )
{
return $$varname;
}
return NULL;
}
and use it like this:
if ( $vhosts = fetchlocalvar("vhosts") ) {
...
}
-mike
>
> This essentially checks to make sure that the
> vhosts element was defined locally (in
> config/config.inc.php3), not in the URL.
>
> --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> Geoffrey W. Martin Unix Support Group
> System Administrator Brock University
> St. Catharines, Ontario
> geoff@spartan.ac.BrockU.CA Canada
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>
--
Mike Glover webmaster@duluoz.net
Duluoz Networks http://www.duluoz.net
