Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Horde IMP Server Discloses Files on the System to Remote Users
|
|
SecurityTracker Alert ID: 1007037
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 23 2003
|
Impact: Disclosure of system information, Disclosure of user information
|
Exploit Included: Yes
|
Description: A vulnerability was reported in the Horde Internet Messaging Program (IMP). A remote user can view files on the system.
SecuriTeam reported that Elia Florio has disclosed a vulnerability in the specification of cascading style sheets on the administrative
web interface. A remote user can supply a specially crafted path value to the 'index.php' script to read specified files with the
privileges of the web server process.
http://[target]/horde/admin/css/index.php?file=../../../../../../../../../etc/passwd
It
is also reported that a remote user can cause the system to display the installation path using this method but supplying a non-existant
file to the 'index.php' script.
http://[target/horde/admin/css/index.php?file=xxyyzz
[Editor's note: It is not clear from
the SecuriTeam report whether the remote user must be an authenticated remote user or not.]
|
Impact: A remote user can view files on the system with the privileges of the web server process.
A remote user can determine the installation path.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.horde.org/imp/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: SecuriTeam <support@securiteam.com>
|
Message History:
None.
|
Source Message Contents
|
Date: 23 Jun 2003 10:56:21 +0200
From: SecuriTeam <support@securiteam.com>
Subject: [UNIX] IMP Allows Arbitrary File Reading and Path Disclosure
|
The following security advisory is sent to the securiteam mailing list, and can be found at the Secur
iTeam web site: http://www.securiteam.com
- - promotion
Beyond Security in Canada
Toronto-based Sunrays Technologies is now Beyond Security's representative in Canada.
We welcome ISPs, system integrators and IT systems resellers
to promote the most advanced vulnerability assessment solutions today.
Contact us at 416-482-0038 or at canadasales@beyondsecurity.com
- - - - - - - - -
IMP Allows Arbitrary File Reading and Path Disclosure
------------------------------------------------------------------------
SUMMARY
<http://www.horde.org> IMP (Internet Messaging Program) is a popular
application, written in PHP which provides WebMail access to any IMAP or
POP3 mailbox, and handles Internet standard MIME attachments, user defined
filters, preferences, and more. A vulnerability in the product allows both
arbitrary file reading and path disclosure vulnerabilities.
DETAILS
Elia Florio has found a security bug in the CSS manipulation page
(index.php) of IMP, inside the admin section of the web-interface. If an
user uses this page:
http://www.somesite.com/horde/admin/css/index.php
He can select the best CSS (cascade style-sheet) for IMP pages, using a
special StyleSheet Editor, written in PHP. In the standard installation of
IMP there are some CSS files showed in a ListBox of the page "index.php".
../../config/html.php
../../imp/config/html.php
../../turba/config/html.php
Selection of the CSS file is generated by the PHP page using a simple
<select> tag, which refers the chosen style-sheet using the syntax:
"index.php?file=". <select name="file"
onChange="self.location='index.php?file='+this.options[this.selectedIndex].value">
When an attacker provides a different file path to "index.php" page, it's
possible to read any arbitrary file of the server, with the only
limitation of web-server read permissions (enough to read /etc/passwd).
Instead, if an attacker provides a filename which not exists, the
application will return some information about path of IMP and Apache on
the server, like this:
Warning: Failed opening 'x' for inclusion
(include_path='/usr/local/apache/php:.') in
/var/data/horde/horde/admin/css/index.php on line 78
Exploit:
Using a lot of "../" in file path, it's possible to get off from web-root
and read any file in the server. This is typical attack URL used to read
passwd file of server:
http://www.somesite.com/horde/admin/css/index.php?file=../../../../../../../../../etc/passwd
Using a non-existent filename, in this way, it's possible to exploit the
path disclosure problem:
http://www.somesite.com/horde/admin/css/index.php?file=xxyyzz
ADDITIONAL INFORMATION
The information has been provided by <mailto:eflorio@edmaster.it> Elia
Florio.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@secu
riteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.co
m
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, con
sequential, loss of business
profits or special damages.
|
|
Go to the Top of This SecurityTracker Archive Page
|
