Am 27.03.2013 17:04, schrieb Sergey Sidlyarenko:
> Hacker first change value in user preference generic_message_footer to any
> file allowed to read roundcube
> (config/db.inc.php config/main.inc.php), after send herself message (with
> included config file). This allow view
> session crypto key, and db user and password. If at hosting installed
> phpmyadmin (mysql) or pgmyadmin (pgsql) and
> session saved in db, hacker get user mail login and password.
>
> else if (!empty($CONFIG['generic_message_footer'])) {
> $footer = file_get_contents(realpath($CONFIG['generic_message_footer'])); ouch - realpath is completly useless for safety the only safe way for such things is INSTALL_PATH_CONSTANT . basename($CONFIG['generic_message_footer']) or COMPLETLY avoid let a USER definie which files are used to display and store the text in the database OR use a fixed path fpr default
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Roundcube Development discussion mailing list [email protected] http://lists.roundcube.net/mailman/listinfo/dev
