[28590] in bugtraq
phpLinks mail() abuse Vulnerability
daemon@ATHENA.MIT.EDU (mindwarper@hush.com)
Thu Jan 23 15:46:12 2003
Message-Id: <200301201211.h0KCBJd4067692@mailserver3.hushmail.com>
Date: Mon, 20 Jan 2003 04:11:19 -0800
To: bugtraq@securityfocus.com
From: mindwarper@hush.com
phpLinks mail() abuse Vulnerability ( By Mindwarper :: mindwarper@hush.com :: )
<------- ------->
----------------------
Vendor Information:
----------------------
Homepage : http://www.destiney.com
Vendor : Could not be informed (Host not found)
Mailed advisory: 09/01/20
Vender Response : None
----------------------
Affected Versions:
----------------------
All 2.X versions
----------------------
Vulnerability:
----------------------
|PhpLinks has an email_confirmation file located in the /include/ directory which is used to
notify the users that they have signed up correctly. An exploit has been discovered in the
file email_confirmation.php which works as following: An attacker may call this file directly
(when it should really be included) and hijack the variables in such way that he/she may abuse
the mail() function. By using the example bellow, any person can use the server's smtp service.
without permission.
http:/victim.com/phplinks/include/email_confirmation.php?UserName=anyone&Email=target@mail.com&
site_title=test_&email_confirmation_2=Hello&owner_name=bu&owner_email=I_Own_j0u@victim.com
Side-note: An attacker may also use this file for XSS attack on the server.
----------------------
Solution:
----------------------
Please check the vendor's website for new patches.
As a temporary solution, create a .htaccess file that contains 'Deny from all'.
Place it in the /include/ directory and that should block remote users from accessing it.
- Mindwarper
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Big $$$ to be made with the HushMail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
