Home page logo
/

bugtraq logo Bugtraq mailing list archives

RES: Basilix Webmail System *.class *.inc Permission Vulnerabilit y
From: Erick Johny Maciel Bol <Erick.Bol () AMAZONIACELULAR COM BR>
Date: Sat, 13 Jan 2001 15:43:28 -0300

"This is not a bug, is a feature..."
This is NOT realy a bug, but a misconfiguration that afect **EVERY** web
server that suports a script language (like PHP, ASP, Cold Fusion or
others).
Example: You have Apache with PHP and configure ONLY the .php extension to
be interpreted by the PHP engine; if you use one file with .php4 extension
(or .inc, .class or another) as "include file", this is a potencial problem
if you have typed valuable information in these files, as database
connection, services running or installed, network topology and others.
The problem for explore this misconfiguration is know the name of the files
used as "include files" as they don´t appear in the interpreted script that
calls the "include file"
Workarounds for the web admin: list every file extensions used as "script
files" and "include files" in the web server and verify if they are
configured. These files can´t be acessed by other network service (as ftp or
nfs) or local. And don´t forget the permission of the files...
Workaround for the script writers: if your script uses uncommon extensions,
include that information in the documentation, with the configuration method
for the web server.
PS: Sorry for the (I think) poor english :-(

Erick Bol
Analista de suporte
Serviços ao Cliente
Amazônia Celular
Celular: (91)9983-5555

----- Mensagem original -----
De:           Tamer Sahin [SMTP:feedback () TAMERSAHIN NET]
Enviada em:           quinta-feira, 11 de janeiro de 2001 21:33
Para:         BUGTRAQ () SECURITYFOCUS COM
Assunto:              Basilix Webmail System *.class *.inc Permission
Vulnerability

---------------------------------------------------
tamersahin.net Security Solutions Announcement
---------------------------------------------------
 
Basilix Webmail System *.class *.inc Permission Vulnerability
 
 
Release Date:
January 12, 2001
 

Version Affected:
Basilix Webmail System 0.9.7beta
 

Description:
There is a simple mistake in the Basilix Webmail system. If .class file
extension is not defined as a PHP script at the httpd.conf any attacker
may see very valuable information by simply enterering the URL : 
 
<http://victim.host/mysql.class>
 
MySQL password and username is stored in this file. 
 

Example Exploit:
 
<http://<>running-basilix>/class/mysql.class
 
<http://<>running-basilix>/inc/sendmail.inc (settings.inc and etc.)
 

Solutions:
Class and inc file extensions should be defined as PHP files and shouldn'
t be given read permissions from outside. Obviously, MySQL port should
also be filtered from remote connects.

Regards;

Tamer Sahin
<http://www.tamersahin.net>
feedback () tamersahin net <mailto:feedback () tamersahin net> 

"Every blows that don't kill me make me stronger."




  By Date           By Thread  

Current thread:
  • RES: Basilix Webmail System *.class *.inc Permission Vulnerabilit y Erick Johny Maciel Bol (Jan 15)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]