Re: Security problems with TWIG webmail system

[Shaun Clowes <shaun () securereality com au>]

> > > Twig is a popular webmail system written in
> PHP,  once called Muppet.
> > > Author: Christopher Heschong
> > > Homepage: http://twig.screwdriver.net
> > > Version: 2.5.1 ( latest )
> > > Problem: The possibility of processing our own
> php file , can leed to
> > > arbitrary command execution on the server as
> the httpd user.
>
> Another option... in index.php3, replace the line:
>
> if( $vhosts[$SERVER_NAME] )
>
> with:
>
> if( $vhosts[$SERVER_NAME] &&
> !isset($HTTP_GET_VARS[vhosts]) )
>
> This essentially checks to make sure that the
> vhosts element was defined locally (in
> config/config.inc.php3), not in the URL.

Just wanted to point out the above is _NOT_ sufficient to avoid the problem.
There are actually three seperate methods by which one can affect variables
in the global PHP namespace. These different methods are stored in three different
arrays:

 HTTP_GET_VARS[]
 HTTP_POST_VARS[]
 HTTP_COOKIE_VARS[]

If I provide the exploit input via POST, or COOKIE I will achieve the same effect,
simply checking GET is not enough. I would suggest my initial workaround was
more suitable since it prevents ANY configuration information being provided
by remote input, however the above suggestion could easily be extended like
so:

if( $vhosts[$SERVER_NAME] &&
    !isset($HTTP_GET_VARS[vhosts]) &&
    !isset($HTTP_POST_VARS[vhosts]) &&
    !isset($HTTP_COOKIE_VARS[vhosts]))

Please noted the above arrays are only available if track_vars is switched on,
its always on in PHP versions > 4.0.2 and its also set on in the sample php.ini
files shipped with PHP4. I'm not aware of track_vars availability in early versions
of PHP3, so your mileage may vary.

Cheers,
Shaun Clowes
SecureReality Pty Ltd
http://www.securereality.com.au