COMMAND

    Basilix Webmail System

SYSTEMS AFFECTED

    Basilix Webmail System 0.9.7beta

PROBLEM

    Tamer Sahin  found following.   There is  a simple  mistake in the
    Basilix Webmail system.  If .class file  extension is not  defined
    as  a  PHP  script  at  the  httpd.conf  any attacker may see very
    valuable information by simply enterering the URL:

        http://victim.host/mysql.class

    MySQL password and username is stored in this file.

    Example Exploit:

        http://<running-basilix>/class/mysql.class
        http://<running-basilix>/inc/sendmail.inc (settings.inc and etc.)

SOLUTION

    This  is  NOT  realy  a  bug,  but  a  misconfiguration that afect
    **EVERY** web  server that  suports a  script language  (like PHP,
    ASP, Cold Fusion or others).

    For example, You have Apache with PHP and configure ONLY the  .php
    extension to be interpreted by the PHP engine; if you use one file
    with  .php4  extension  (or  .inc,  .class or another) as "include
    file", this  is a  potencial problem  if you  have typed  valuable
    information  in  these  files,  as  database  connection, services
    running or installed,  network topology and  others.  The  problem
    for explore this  misconfiguration is know  the name of  the files
    used as "include  files" as they  donīt appear in  the interpreted
    script that calls the "include file".

    Workarounds for the web admin: list every file extensions used  as
    "script files" and  "include files" in  the web server  and verify
    if they  are configured.   These files  can't be  acessed by other
    network service (as ftp  or nfs) or local.   And don't forget  the
    permission of the files...

    Workaround for the  script writers: if  your script uses  uncommon
    extensions, include  that information  in the  documentation, with
    the configuration method for the web server.