| Basilix Webmail
Incorrect File Permissions Vulnerability
Release Date Version Affected Basilix Webmail System 0.9.7beta Product / Vendor Basilix is a webmail application based on PHP and IMAP, and powered with the MySQL database server. Summary There is a simple mistake in the Basilix Webmail system. If .class file extension is not defined as a PHP script at the httpd.conf any attacker may see very valuable information by simply enterering the URL. Basilix Webmail ships with several configuration files that have the file extensions '.class' and '.inc'. Among other things, these files contain the authentication information for the MySQL database that the product uses. These files reside in directories accessible via http. If the webserver is not configured to treat .class and .inc files as PHP scripts,they can be retrieved by remote users. Properly exploited, this information can allow further attacks on the affected host. http://victim.host/mysql.class MySQL password and username is stored in this file. Exploit http://<running-basilix>/class/mysql.class http://<running-basilix>/inc/sendmail.inc (settings.inc etc.) Solutions Class and inc file extensions should be defined as PHP files and shouldn' t be given read permissions from outside. Obviously, MySQL port should also be filtered from remote connects. Disclaimer http://www.securityoffice.net is not responsible for the misuse or illegal use of any of the information and/or the software listed on this security advisory. Author Tamer Sahin |