BasiliX Web Mail Server Lets Remote Users Read Files on the System
|
|
SecurityTracker Alert ID: 1001944 |
|
SecurityTracker URL: http://securitytracker.com/id/1001944
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jul 7 2001
|
Impact:
Disclosure of system information, Disclosure of user information
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): BasiliX Webmail System 1.0.2beta, 1.0.3beta
|
Description:
A vulnerability has been reported in the BasiliX mail gateway that allows a remote user to read nearly any file on the system.
It is reported that BasiliX will launch a file based on a user-supplied file name, as shown in the code excerpt from basilix.php3 :
$file = $request_id["$RequestID"];
if($file == "") exit();
include($BSX_FILESDIR . "/" . $file);
There is reportedly a function in file lang.inc that preceeds the above listed code and checks the user-supplied RequestID variable to prevent the specification of arbitrary file names. However, there is reportedly a hole in the checking mechanism that allows the following file name format to pass:
request_id[DUMMY]=whatever_we_want
The remote user can read any file on the system that is readable by the web server. In addition, php files that are readable by the web server can be executed via this method.
The following URL will reportedly trigger this vulnerability:
http://[targethost]/basilix.php3?request_id[DUMMY]=../../../../etc/passwd&RequestID=DUMMY&username=blah&password=blah
|
Impact:
A remote user can read any file on the system that is readable by the web server and can execute php files that are readable by the web server.
|
Solution:
The vendor has posted a fix to the vendor's web site (see the Vendor URL).
|
Vendor URL: www.basilix.org/ (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 06 Jul 2001 21:04:55 +0200
Subject: basilix bug
|
+--------------------------------------+
| Basilix Webmail System Vulnerability |
+--------------------------------------+
Release Date :
13:49, 6 July 2001
Version Affected :
Basilix Webmail System 1.0.2beta
Basilix Webmail System 1.0.3beta
Description :
basilix lunches a file which name is read from an array request_id.
from basilix.php3 :
$file = $request_id["$RequestID"];
if($file == "") exit();
include($BSX_FILESDIR . "/" . $file);
so we could change it very easy, but in file lang.inc which is added
earlier in basilix.php3 there is a function which checks the RequestID
variable so we can not pass for example request_id[BLAH]=/etc/passwd.
But there is one hole in it and we can pass
request_id[DUMMY]=whatever_we_want and it will not fail. In effect
attacker can read any file in system ( if she/he has permission ) and
can 'execute' php files.
Example Exploit :
http://beta.basilix.org/basilix.php3?request_id[DUMMY]=../../../../etc/passwd&RequestID=DUMMY&username=blah&password=blah
Solutions:
remove DUMMY from lang.inc. it disallow to pass file names to include in
request_id[DUMMY].
the author already knows about this bug and he prepared a quick fix on
www.basilix.org.
Karol Wiêsek - su <su@poczta.arena.pl>
|
|
