+--------------------------------------+ | Basilix Webmail System Vulnerability | +--------------------------------------+ Release Date : 13:49, 6 July 2001 Version Affected : Basilix Webmail System 1.0.2beta Basilix Webmail System 1.0.3beta Description : basilix lunches a file which name is read from an array request_id. from basilix.php3 : $file = $request_id["$RequestID"]; if($file == "") exit(); include($BSX_FILESDIR . "/" . $file); so we could change it very easy, but in file lang.inc which is added earlier in basilix.php3 there is a function which checks the RequestID variable so we can not pass for example request_id[BLAH]=/etc/passwd. But there is one hole in it and we can pass request_id[DUMMY]=whatever_we_want and it will not fail. In effect attacker can read any file in system ( if she/he has permission ) and can 'execute' php files. Example Exploit : http://beta.basilix.org/basilix.php3?request_id[DUMMY]=../../../../etc/passwd&RequestID=DUMMY&username=blah&password=blah Solutions: remove DUMMY from lang.inc. it disallow to pass file names to include in request_id[DUMMY]. the author already knows about this bug and he prepared a quick fix on www.basilix.org. Karol Wiêsek - su <suat_private>
This archive was generated by hypermail 2b30 : Sat Jul 07 2001 - 12:30:43 PDT