Date: Fri, 12 Jan 2001 02:33:28 +0200 From: Tamer Sahin <feedback@TAMERSAHIN.NET> Subject: Basilix Webmail System *.class *.inc Permission Vulnerability To: BUGTRAQ@SECURITYFOCUS.COM This is a multi-part message in MIME format. ------=_NextPart_000_0010_01C07C40.0BACD080 Content-Type: text/plain; charset="iso-8859-9" --------------------------------------------------- tamersahin.net Security Solutions Announcement --------------------------------------------------- Basilix Webmail System *.class *.inc Permission Vulnerability Release Date: January 12, 2001 Version Affected: Basilix Webmail System 0.9.7beta Description: There is a simple mistake in the Basilix Webmail system. If .class file extension is not defined as a PHP script at the httpd.conf any attacker may see very valuable information by simply enterering the URL : http://victim.host/mysql.class MySQL password and username is stored in this file. Example Exploit: http://<running-basilix>/class/mysql.class http://<running-basilix>/inc/sendmail.inc (settings.inc and etc.) Solutions: Class and inc file extensions should be defined as PHP files and shouldn' t be given read permissions from outside. Obviously, MySQL port should also be filtered from remote connects. Regards; Tamer Sahin http://www.tamersahin.net feedback@tamersahin.net "Every blows that don't kill me make me stronger." ------=_NextPart_000_0010_01C07C40.0BACD080 Content-Type: text/html; charset="iso-8859-9" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content="text/html; charset=iso-8859-9" http-equiv=Content-Type> <META content="MSHTML 5.00.2614.3500" name=GENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=#ffffff> <DIV><FONT face=Verdana size=2>---------------------------------------------------</FONT></DIV> <DIV><FONT face=Verdana size=2><STRONG>tamersahin.net Security Solutions Announcement<BR></STRONG>---------------------------------------------------</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Verdana size=2><U><STRONG>Basilix Webmail System *.class *.inc Permission Vulnerability</STRONG></U></FONT></DIV> <DIV> </DIV> <DIV><FONT face=Verdana size=2><STRONG></STRONG></FONT> </DIV> <DIV><FONT face=Verdana size=2><STRONG>Release Date:</STRONG></FONT></DIV> <DIV><FONT face=Verdana size=2>January 12, 2001</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Verdana size=2><BR><STRONG>Version Affected:</STRONG></FONT></DIV> <DIV><FONT face=Verdana size=2>Basilix Webmail System 0.9.7beta</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Verdana size=2><BR><STRONG>Description:</STRONG></FONT></DIV> <DIV><FONT face=Verdana size=2>There is a simple mistake in the Basilix Webmail system. If .class file extension is not defined as a PHP script at the httpd.conf any attacker may see very valuable information by simply enterering the URL : </FONT></DIV> <DIV> </DIV> <DIV><FONT face=Verdana size=2><A href="http://victim.host/mysql.class">http://victim.host/mysql.class</A></FONT></DIV> <DIV> </DIV> <DIV><FONT face=Verdana size=2>MySQL password and username is stored in this file. </FONT></DIV> <DIV> </DIV> <DIV><FONT face=Verdana size=2><BR><STRONG>Example Exploit:</STRONG></FONT></DIV> <DIV> </DIV> <DIV><FONT face=Verdana size=2><A href="http://<">http://<</A>running-basilix>/class/mysql.class</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Verdana size=2><A href="http://<">http://<</A>running-basilix>/inc/sendmail.inc (settings.inc and etc.)</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Verdana size=2><BR><STRONG>Solutions:</STRONG></FONT></DIV> <DIV><FONT face=Verdana size=2>Class and inc file extensions should be defined as PHP files and shouldn' t be given read permissions from outside. Obviously, MySQL port should also be filtered from remote connects.</FONT></DIV> <DIV> <P><FONT face="Verdana, Arial, Helvetica, sans-serif" size=2>Regards;<BR><BR><B>T</B>amer <B>S</B>ahin<BR><A href="http://www.tamersahin.net">http://www.tamersahin.net</A><BR><A href="mailto:feedback@tamersahin.net">feedback@tamersahin.net</A> <BR><FONT size=1><BR>"Every blows that don't kill me make me stronger."<BR></FONT></FONT></P></DIV></BODY></HTML> ------=_NextPart_000_0010_01C07C40.0BACD080--