Any file in the latest version of AfterLogic WebMail contains

Any file in the latest version of AfterLogic WebMail contains

AfterLogic WebMail contains any file, including the latest version and the old version.

The latest version of AfterLogic WebMail 7.6.0 is used as an example for testing.

AfterLogic WebMail does not delete the install directory by default after installation.

So here you can also reinstall, set your own mailserver, and perform various operations

Any file inclusion can be performed without logon due to design defects during installation.

File/install/index. php:
 

/* * Copyright 2004-2015, AfterLogic Corp. * Licensed under AGPLv3 license or AfterLogic license * if commercial version of the product was purchased. * See the LICENSE file for a full license statement. */defined('WM_INSTALLER_PATH') || define('WM_INSTALLER_PATH', (dirname(__FILE__).'/'));include WM_INSTALLER_PATH.'installer.php';$oInstaller = new CInstaller();$oInstaller->Run();

Follow up/install/installer. php:

$this->_sState = isset($_GET['step']) ? $_GET['step'] : 'index';$this->_aMenu = array('compatibility', 'license', 'license-key', 'db','dav', 'admin-panel', 'email-server-test', 'completed');function Run(){if (isset($_GET['post'])){$this->Post();exit();}if ('index' === $this->_sState){$_SESSION['checksessionindex'] = true;header('Location: index.php?step=compatibility');exit();}$sState = in_array($this->_sState, $this->_aMenu) ? $this->_sState : 'compatibility';

When this is a POST request, the POST function is called.

If it is GET, it will judge $ this-> _ sState:

$sState = in_array($this->_sState, $this->_aMenu) ? $this->_sState : 'compatibility';

Therefore, the $ this-> _ sState parameter is limited and cannot be used. Let's look at the POST method:

function Post(){$sState = empty($_POST['state']) ? '' : $_POST['state'];if (isset($_POST['back_btn'])){header('Location: '.'index.php?step='.$this->getBackStep($sState));}else{$oStepObject = null;if (@file_exists(WM_INSTALLER_PATH.'steps/'.$sState.'.php')){include_once WM_INSTALLER_PATH.'steps/'.$sState.'.php';$oCurrentStateStepClass = 'C'.ucfirst(preg_replace('/[^a-z]/', '', $sState)).'Step';$oStepObject = new $oCurrentStateStepClass;$sUrl = 'index.php?step='.$sState;if ($oStepObject->DoPost()){$sUrl = 'index.php?step='.$this->getNextStep($sState);}header('Location: '.$sUrl);}else{echo 'State error';}}}

Here we can see $ sState = empty ($ _ POST ['state'])? '': $ _ POST ['state'];

Then determine whether the file exists. If it exists, unzip de_once.

The controllable variable $ sState is included in the file into include_once.

Therefore, the vulnerability exists.

However, this is a little tricky, that is, it needs to be truncated. The php version after 5.3.4 cannot be truncated.

Of course, you can reinstall it here, and then log on to the Upload File to get the shell

Solution:

Install is automatically deleted after the installation is completed, or instal. lock is determined.