Maia Mailguard

A Spam and Virus Management System

Version 1.0.2a


Thank you ReachOne Internet for hosting our website!

Ticket #479 (closed security: fixed)

Opened 2 months ago

Last modified 2 months ago

directory traversal and file read

Reported by: dmorton Assigned to: dmorton
Priority: highest Milestone: 1.0.3
Component: PHP scripts Version: 1.0.1
Severity: critical Keywords:
Cc:

Description

Adriel T. Desautels from http://www.netragard.com reports that the "lang" variable is not verified and can be used to display system files. More details can be found in their advisory.

In addition to "lang", I also found "prevlang" and "super" that needed to have some verification done.

I was not able to replicate the attack on any Linux system, but the examples given to me appear to be FreeBSD. I suspect the real security flaw is in a php/filesystem issue on particular operating systems. It seems some systems handle "%00" as a null terminated string, and truncate the requested filename - returning a file other than what Maia requested.

Attachments

1184.diff (2.8 kB) - added by dmorton on 07/06/07 01:16:35.
Patch file without DOS line endings…

Change History

07/02/07 02:49:25 changed by dmorton

  • status changed from new to closed.
  • resolution set to fixed.

Whether or not the actual security breakdown is in the underlying OS, we need to defend against it. Fixed in [1184]

07/06/07 01:16:35 changed by dmorton

  • attachment 1184.diff added.

Patch file without DOS line endings...