Bugtraq mailing list archives
Re: Security problems with TWIG webmail system
From: "Glover, Mike" <webmaster () DULUOZ NET>
Date: Wed, 29 Nov 2000 15:24:41 -0800
Another option... in index.php3, replace the line: if( $vhosts[$SERVER_NAME] ) with: if( $vhosts[$SERVER_NAME] && !isset($HTTP_GET_VARS[vhosts]) )
This will just make it slightly more difficult to exploit the
bug -- you've still got HTTP_POST_VARS and HTTP_COOKIE_VARS to
check. Perhaps something like this:
function fetchlocalvar ($varname) {
if ( $$varname
&& ! isset($HTTP_GET_VARS[$varname]
&& ! isset($HTTP_POST_VARS[$varname]
&& ! isset($HTTP_COOKIE_VARS[$varname] )
{
return $$varname;
}
return NULL;
}
and use it like this:
if ( $vhosts = fetchlocalvar("vhosts") ) {
...
}
-mike
This essentially checks to make sure that the
vhosts element was defined locally (in
config/config.inc.php3), not in the URL.
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Geoffrey W. Martin Unix Support Group
System Administrator Brock University
St. Catharines, Ontario
geoff () spartan ac BrockU CA Canada
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-- Mike Glover webmaster () duluoz net Duluoz Networks http://www.duluoz.net
Current thread:
- Re: Security problems with TWIG webmail system Glover, Mike (Dec 01)
- <Possible follow-ups>
- Re: Security problems with TWIG webmail system João Gouveia (Dec 01)
- Re: Security problems with TWIG webmail system Shaun Clowes (Dec 01)
- Re: Security problems with TWIG webmail system João Gouveia (Dec 01)
- Re: Security problems with TWIG webmail system Shaun Clowes (Dec 02)
- Re: Security problems with TWIG webmail system Rasmus Lerdorf (Dec 02)