The aforementioned two
attack methods can be controlled relatively simply. User data that we did not expect was passed. You can find another example of this method of attack again in the old Mambo version 4.0.3 and also at http://secunia.com/advisories/9796/ for your review. The weak point was in the contact.php
file. That is where the useful function of sending an email is located. Fortunately, this function is very cooperative; unfortunately, also with attackers. All you need to call it is the op=sendmail
GET
parameter:
switch($op) { case "sendmail": sendmail($text, $from, $name, $email_to, $sitename); break; // ... }
We are sure you remember that all GET
parameters in this version are automatically raised to global variables. So, what happens in the sendmail()
function? Primarily, the PHP mail()
function is called with exactly the parameters that are passed to sendmail()
:
function sendmail($text, $from, $name, $email_to, $sitename){ if ((isset...