severity 373731 serious tags 373731 security confirmed upstream thanks On Thu, Jun 15, 2006 at 02:42:01PM +0200, Oliver Paulus wrote: > There is a local file include vulnerability in redirect.php (information > disclosure). > > For more information see: http://www.securityfocus.com/bid/18231 > > Example URI: http://www.example.com/[squirrelmail > dir]/src/redirect.php?plugins[]=../../../../etc/passwd%00
Ugh, both file_exists and include_once (!) simply work on the filename up until the first nul byte. I see that the plugins[] array is actually never reset in the squirrelmail source or configuration, allowing for this kind of things. Since this allows to include (and execute) arbitrary local files, including ones in /tmp, this seems like to be at least a local arbitrary code execution vulnerability. It's not even required to be logged in, of course, to plant an attacking php script in /tmp or so requires a local account, or alternatively, some other vulnerability. Thanks for reporting, --Jeroen -- Jeroen van Wolffelaar [EMAIL PROTECTED] (also for Jabber & MSN; ICQ: 33944357) http://Jeroen.A-Eskwadraat.nl -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
