Bugtraq mailing list archives
Re: Fullpath disclosure in roundcube webmail
From: "Steven M. Christey" <coley () mitre org>
Date: Sat, 17 Dec 2005 18:43:28 -0500 (EST)
I try this request in my mailbox http://xxxx.com/roundcube/?_auth=3Dcf559dcf52d8801ccd51cd1f3ba3eca08d1b0 bce= &_task=3Dma%60il then roundcube shows this warning
For the 3 people who might care about the distinction (e.g. vuln DBs who exclude path disclosure), this appears to be a custom error message, not one generated by PHP, and therefore a design choice by the developer. Notice that in the URL above, the "_task" parameter has the value "ma`il" - an invalid value. roundcube appears to perform some validation of the value, then giving a verbose error message when the validation fails. Near the end of index.php we have:
// only allow these templates to be included $valid_tasks = array('mail','settings','addressbook'); // parse main template if (in_array($_task, $valid_tasks)) parse_template($_task); // if we arrive here, something went wrong raise_error(array('code' => 404, 'type' => 'php', 'line' => __LINE__, 'file' => __FILE__, 'message' => "Invalid request"), TRUE, TRUE);
So __FILE__ is part of the error message, which is inserted into a text template. The relevant code is in program/steps/error.inc and program/include/bugs.inc. This is based on source analysis of roundcubemail-0.1-20051021. - Steve
Current thread:
- Fullpath disclosure in roundcube webmail king_purba (Dec 17)
- <Possible follow-ups>
- Re: Fullpath disclosure in roundcube webmail Steven M. Christey (Dec 17)