BasiliX Mail Gateway May Disclose Script File Contents via its Web Interface
|
|
SecurityTracker Alert ID: 1000580 |
|
SecurityTracker URL: http://securitytracker.com/id/1000580
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jan 12 2001
|
Impact:
Disclosure of system information
|
|
Version(s): Basilix Webmail System 0.9.7beta
|
Description:
It has been announced that there is a file access control permission vulnerability in the BasiliX web-based mail system that can allow a remote attacker to view the contents of certain scripts, which may contain sensitive information.
The system reportedly displays the contents of .inc and .class files if they are not defined as PHP scripts in the web configuration file (httpd.conf). If they are not defined as such, the system will display the contents when requested by HTTP.
For example, the URL (http://victim.host/mysql.class) will display mysql.class, which contains a MySQL password and username.
Some example exploit URLs include:
http://<running-basilix>/class/mysql.class
http://<running-basilix>/inc/sendmail.inc (settings.inc and etc.)
This information was provided by a tamersahin.net Security Solutions Announcement.
|
Impact:
A remote attacker could view the contents of certain .inc and .class scripts.
|
Solution:
Files with .class and .inc extensions should be defined as PHP files in the httpd.conf file. These files should not be assigned read permissions from outside connections.
|
Vendor URL: www.basilix.org (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 12 Jan 2001 02:33:28 +0200
Subject: Basilix Webmail System *.class *.inc Permission Vulnerability
|
This is a multi-part message in MIME format.
------=_NextPart_000_0010_01C07C40.0BACD080
Content-Type: text/plain;
charset="iso-8859-9"
Content-Transfer-Encoding: 8bit
---------------------------------------------------
tamersahin.net Security Solutions Announcement
---------------------------------------------------
Basilix Webmail System *.class *.inc Permission Vulnerability
Release Date:
January 12, 2001
Version Affected:
Basilix Webmail System 0.9.7beta
Description:
There is a simple mistake in the Basilix Webmail system. If .class file extension is not defined as a PHP script at the httpd.conf
any attacker may see very valuable information by simply enterering the URL :
http://victim.host/mysql.class
MySQL password and username is stored in this file.
Example Exploit:
http://<running-basilix>/class/mysql.class
http://<running-basilix>/inc/sendmail.inc (settings.inc and etc.)
Solutions:
Class and inc file extensions should be defined as PHP files and shouldn' t be given read permissions from outside. Obviously, MySQL
port should also be filtered from remote connects.
Regards;
Tamer Sahin
http://www.tamersahin.net
feedback@tamersahin.net
"Every blows that don't kill me make me stronger."
------=_NextPart_000_0010_01C07C40.0BACD080
Content-Type: text/html;
charset="iso-8859-9"
Content-Transfer-Encoding: 8bit
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=iso-8859-9" http-equiv=Content-Type>
<META content="MSHTML 5.00.2614.3500" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Verdana
size=2>---------------------------------------------------</FONT></DIV>
<DIV><FONT face=Verdana size=2><STRONG>tamersahin.net Security Solutions
Announcement<BR></STRONG>---------------------------------------------------</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Verdana size=2><U><STRONG>Basilix Webmail System *.class *.inc
Permission Vulnerability</STRONG></U></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Verdana size=2><STRONG></STRONG></FONT> </DIV>
<DIV><FONT face=Verdana size=2><STRONG>Release Date:</STRONG></FONT></DIV>
<DIV><FONT face=Verdana size=2>January 12, 2001</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Verdana size=2><BR><STRONG>Version
Affected:</STRONG></FONT></DIV>
<DIV><FONT face=Verdana size=2>Basilix Webmail System 0.9.7beta</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Verdana size=2><BR><STRONG>Description:</STRONG></FONT></DIV>
<DIV><FONT face=Verdana size=2>There is a simple mistake in the Basilix Webmail
system. If .class file extension is not defined as a PHP script at the
httpd.conf any attacker may see very valuable information by simply enterering
the URL : </FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Verdana size=2><A
href="http://victim.host/mysql.class">http://victim.host/mysql.class</A></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Verdana size=2>MySQL password and username is stored in this
file. </FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Verdana size=2><BR><STRONG>Example
Exploit:</STRONG></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Verdana size=2><A
href="http://<">http://<</A>running-basilix>/class/mysql.class</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Verdana size=2><A
href="http://<">http://<</A>running-basilix>/inc/sendmail.inc
(settings.inc and etc.)</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Verdana size=2><BR><STRONG>Solutions:</STRONG></FONT></DIV>
<DIV><FONT face=Verdana size=2>Class and inc file extensions should be defined
as PHP files and shouldn' t be given read permissions from outside. Obviously,
MySQL port should also be filtered from remote connects.</FONT></DIV>
<DIV>
<P><FONT face="Verdana, Arial, Helvetica, sans-serif"
size=2>Regards;<BR><BR><B>T</B>amer <B>S</B>ahin<BR><A
href="http://www.tamersahin.net">http://www.tamersahin.net</A><BR><A
href="mailto:feedback@tamersahin.net">feedback@tamersahin.net</A> <BR><FONT
size=1><BR>"Every blows that don't kill me make me
stronger."<BR></FONT></FONT></P></DIV></BODY></HTML>
------=_NextPart_000_0010_01C07C40.0BACD080--
|
|
