Vulnerability

    Basilix Webmail System

Affected

    Basilix Webmail System 1.0.2beta, 1.0.3beta

Description

    Karol W. found  following.  basilix  lunches a file  which name is
    read from an array request_id.  From basilix.php3 :

        $file = $request_id["$RequestID"];
        if($file == "") exit();
        include($BSX_FILESDIR . "/" . $file);

    So we could  change it very  easy, but in  file lang.inc which  is
    added earlier  in basilix.php3  there is  a function  which checks
    the  RequestID   variable  so   we  can   not  pass   for  example
    request_id[BLAH]=/etc/passwd.  But there is one hole in it and  we
    can pass request_id[DUMMY]=whatever_we_want and it will not  fail.
    In effect  attacker can  read any  file in  system (if  she/he has
    permission) and can 'execute' php files.

    Example Exploit:

        http://beta.basilix.org/basilix.php3?request_id[DUMMY]=../../../../etc/passwd&RequestID=DUMMY&username=blah&password=blah

Solution

    Remove DUMMY  from lang.inc.   It disallow  to pass  file names to
    include  in  request_id[DUMMY].   The  author  already knows about
    this bug and he prepared a quick fix on www.basilix.org.