Bugtraq mailing list archives
Re: Security problems with TWIG webmail system
From: Shaun Clowes <shaun () securereality com au>
Date: Thu, 30 Nov 2000 08:25:00 AEST
Twig is a popular webmail system written inPHP, once called Muppet.Author: Christopher Heschong Homepage: http://twig.screwdriver.net Version: 2.5.1 ( latest ) Problem: The possibility of processing our ownphp file , can leed toarbitrary command execution on the server asthe httpd user. Another option... in index.php3, replace the line: if( $vhosts[$SERVER_NAME] ) with: if( $vhosts[$SERVER_NAME] && !isset($HTTP_GET_VARS[vhosts]) ) This essentially checks to make sure that the vhosts element was defined locally (in config/config.inc.php3), not in the URL.
Just wanted to point out the above is _NOT_ sufficient to avoid the problem. There are actually three seperate methods by which one can affect variables in the global PHP namespace. These different methods are stored in three different arrays: HTTP_GET_VARS[] HTTP_POST_VARS[] HTTP_COOKIE_VARS[] If I provide the exploit input via POST, or COOKIE I will achieve the same effect, simply checking GET is not enough. I would suggest my initial workaround was more suitable since it prevents ANY configuration information being provided by remote input, however the above suggestion could easily be extended like so: if( $vhosts[$SERVER_NAME] && !isset($HTTP_GET_VARS[vhosts]) && !isset($HTTP_POST_VARS[vhosts]) && !isset($HTTP_COOKIE_VARS[vhosts])) Please noted the above arrays are only available if track_vars is switched on, its always on in PHP versions > 4.0.2 and its also set on in the sample php.ini files shipped with PHP4. I'm not aware of track_vars availability in early versions of PHP3, so your mileage may vary. Cheers, Shaun Clowes SecureReality Pty Ltd http://www.securereality.com.au
Current thread:
- Re: Security problems with TWIG webmail system Glover, Mike (Dec 01)
- <Possible follow-ups>
- Re: Security problems with TWIG webmail system João Gouveia (Dec 01)
- Re: Security problems with TWIG webmail system Shaun Clowes (Dec 01)
- Re: Security problems with TWIG webmail system João Gouveia (Dec 01)
- Re: Security problems with TWIG webmail system Shaun Clowes (Dec 02)
- Re: Security problems with TWIG webmail system Rasmus Lerdorf (Dec 02)