[18595] in bugtraq
Basilix Webmail System *.class *.inc Permission Vulnerability
daemon@ATHENA.MIT.EDU (Tamer Sahin)
Fri Jan 12 16:55:44 2001
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0010_01C07C40.0BACD080"
Message-ID: <001301c07c2f$4beffca0$030aa8c0@ts>
Date: Fri, 12 Jan 2001 02:33:28 +0200
Reply-To: Tamer Sahin <feedback@TAMERSAHIN.NET>
From: Tamer Sahin <feedback@TAMERSAHIN.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_0010_01C07C40.0BACD080
Content-Type: text/plain;
charset="iso-8859-9"
Content-Transfer-Encoding: quoted-printable
---------------------------------------------------
tamersahin.net Security Solutions Announcement
---------------------------------------------------
Basilix Webmail System *.class *.inc Permission Vulnerability
Release Date:
January 12, 2001
Version Affected:
Basilix Webmail System 0.9.7beta
Description:
There is a simple mistake in the Basilix Webmail system. If .class file =
extension is not defined as a PHP script at the httpd.conf any attacker =
may see very valuable information by simply enterering the URL :=20
http://victim.host/mysql.class
MySQL password and username is stored in this file.=20
Example Exploit:
http://<running-basilix>/class/mysql.class
http://<running-basilix>/inc/sendmail.inc (settings.inc and etc.)
Solutions:
Class and inc file extensions should be defined as PHP files and =
shouldn' t be given read permissions from outside. Obviously, MySQL port =
should also be filtered from remote connects.
Regards;
Tamer Sahin
http://www.tamersahin.net
feedback@tamersahin.net=20
"Every blows that don't kill me make me stronger."
------=_NextPart_000_0010_01C07C40.0BACD080
Content-Type: text/html;
charset="iso-8859-9"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-9" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2614.3500" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DVerdana=20
size=3D2>---------------------------------------------------</FONT></DIV>=
<DIV><FONT face=3DVerdana size=3D2><STRONG>tamersahin.net Security =
Solutions=20
Announcement<BR></STRONG>------------------------------------------------=
---</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DVerdana size=3D2><U><STRONG>Basilix Webmail System =
*.class *.inc=20
Permission Vulnerability</STRONG></U></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DVerdana size=3D2><STRONG></STRONG></FONT> </DIV>
<DIV><FONT face=3DVerdana size=3D2><STRONG>Release =
Date:</STRONG></FONT></DIV>
<DIV><FONT face=3DVerdana size=3D2>January 12, 2001</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DVerdana size=3D2><BR><STRONG>Version=20
Affected:</STRONG></FONT></DIV>
<DIV><FONT face=3DVerdana size=3D2>Basilix Webmail System =
0.9.7beta</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DVerdana =
size=3D2><BR><STRONG>Description:</STRONG></FONT></DIV>
<DIV><FONT face=3DVerdana size=3D2>There is a simple mistake in the =
Basilix Webmail=20
system. If .class file extension is not defined as a PHP script at the=20
httpd.conf any attacker may see very valuable information by simply =
enterering=20
the URL : </FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DVerdana size=3D2><A=20
href=3D"http://victim.host/mysql.class">http://victim.host/mysql.class</A=
></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DVerdana size=3D2>MySQL password and username is stored =
in this=20
file. </FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DVerdana size=3D2><BR><STRONG>Example=20
Exploit:</STRONG></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DVerdana size=3D2><A=20
href=3D"http://<">http://<</A>running-basilix>/class/mysql.class</F=
ONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DVerdana size=3D2><A=20
href=3D"http://<">http://<</A>running-basilix>/inc/sendmail.inc=20
(settings.inc and etc.)</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DVerdana =
size=3D2><BR><STRONG>Solutions:</STRONG></FONT></DIV>
<DIV><FONT face=3DVerdana size=3D2>Class and inc file extensions should =
be defined=20
as PHP files and shouldn' t be given read permissions from outside. =
Obviously,=20
MySQL port should also be filtered from remote connects.</FONT></DIV>
<DIV>
<P><FONT face=3D"Verdana, Arial, Helvetica, sans-serif"=20
size=3D2>Regards;<BR><BR><B>T</B>amer <B>S</B>ahin<BR><A=20
href=3D"http://www.tamersahin.net">http://www.tamersahin.net</A><BR><A=20
href=3D"mailto:feedback@tamersahin.net">feedback@tamersahin.net</A> =
<BR><FONT=20
size=3D1><BR>"Every blows that don't kill me make me=20
stronger."<BR></FONT></FONT></P></DIV></BODY></HTML>
------=_NextPart_000_0010_01C07C40.0BACD080--
