[UNIX] Squirrelmail compose.php Variable Overwriting
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 13 Aug 2006 18:26:35 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Squirrelmail compose.php Variable Overwriting
------------------------------------------------------------------------
SUMMARY
A Squirrelmail logged in user could overwrite random variables in
compose.php, which might make it possible to read/write other users'
preferences or attachments.
DETAILS
Vulnerable Systems:
* Squirrelmail version 1.4.0 up to version 1.4.7
Immune Systems:
* Squirrelmail version 1.4.8
The function that the bug was in, was actually broken in the latest
release of SquirrelMail. Therefore the simple fix is to just remove that
function entirely if you don't miss it. The patch below restores the
functionality (resume a compose session when the user's session expired)
and fixes the hole.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4019>
CVE-2006-4019
Patch:
A patch is available from:
<http://www.squirrelmail.org/patches/sqm1.4.7-expired-post-fix-full.patch>
http://www.squirrelmail.org/patches/sqm1.4.7-expired-post-fix-full.patch
Index: functions/auth.php
===================================================================
RCS file: /cvsroot/squirrelmail/squirrelmail/functions/auth.php,v
retrieving revision 1.34.2.11
diff -u -r1.34.2.11 auth.php
--- functions/auth.php 14 Apr 2006 22:27:07 -0000 1.34.2.11
+++ functions/auth.php 4 Aug 2006 14:17:17 -0000
@@ -60,6 +60,8 @@
sqsession_register($session_expired_location,'session_expired_location');
}
+ session_write_close();
+
// signout page will deal with users who aren't logged
// in on its own; don't show error here
//
Index: src/compose.php
===================================================================
RCS file: /cvsroot/squirrelmail/squirrelmail/src/compose.php,v
retrieving revision 1.319.2.68
diff -u -r1.319.2.68 compose.php
--- src/compose.php 14 Apr 2006 22:27:08 -0000 1.319.2.68
+++ src/compose.php 4 Aug 2006 14:17:19 -0000
@@ -258,13 +258,19 @@
sqsession_unregister('session_expired_post');
session_write_close();
} else {
- foreach ($session_expired_post as $postvar => $val) {
- if (isset($val)) {
- $$postvar = $val;
- } else {
- $$postvar = '';
+ // these are the vars that we can set from the expired composed
session
+ $compo_var_list = array ( 'send_to',
'send_to_cc','body','startMessage',
+
'passed_body','use_signature','signature','attachments','subject','newmail',
+ 'send_to_bcc', 'passed_id', 'mailbox',
'from_htmladdr_search', 'identity',
+ 'draft_id', 'delete_draft', 'mailprio', 'edit_as_new',
'compose_messsages',
+ 'composesession', 'request_mdn', 'request_dr');
+
+ foreach ($compo_var_list as $var) {
+ if ( isset($session_expired_post[$var]) && !isset($$var) ) {
+ $$var = $session_expired_post[$var];
}
}
+
$compose_messages = unserialize(urldecode($restoremessages));
sqsession_register($compose_messages,'compose_messages');
sqsession_register($composesession,'composesession');
Index: src/login.php
===================================================================
RCS file: /cvsroot/squirrelmail/squirrelmail/src/login.php,v
retrieving revision 1.98.2.13
diff -u -r1.98.2.13 login.php
--- src/login.php 2 Jun 2006 15:51:45 -0000 1.98.2.13
+++ src/login.php 4 Aug 2006 14:17:19 -0000
@@ -43,13 +43,24 @@
}
$base_uri = sqm_baseuri();
-/*
+/**
* In case the last session was not terminated properly, make sure
- * we get a new one.
+ * we get a new one, but make sure we preserve session_expired_*
*/
-sqsession_destroy();
-
+if ( !empty($_SESSION['session_expired_post']) &&
!empty($_SESSION['session_expired_location']) ) {
+ $sep = $_SESSION['session_expired_post'];
+ $sel = $_SESSION['session_expired_location'];
+
+ sqsession_destroy();
+
+ sqsession_is_active();
+ sqsession_register($sep, 'session_expired_post');
+ sqsession_register($sel, 'session_expired_location');
+} else {
+ sqsession_destroy();
+}
+
header('Pragma: no-cache');
do_hook('login_cookie');
Index: src/redirect.php
===================================================================
RCS file: /cvsroot/squirrelmail/squirrelmail/src/redirect.php,v
retrieving revision 1.72.2.11
diff -u -r1.72.2.11 redirect.php
--- src/redirect.php 14 Apr 2006 22:27:08 -0000 1.72.2.11
+++ src/redirect.php 4 Aug 2006 14:17:19 -0000
@@ -146,11 +146,15 @@
if ( sqgetGlobalVar('session_expired_location',
$session_expired_location, SQ_SESSION) ) {
sqsession_unregister('session_expired_location');
- $compose_new_win = getPref($data_dir, $username, 'compose_new_win',
0);
- if ($compose_new_win) {
- $redirect_url = $session_expired_location;
- } elseif ( strpos($session_expired_location, 'webmail.php') === FALSE
) {
- $redirect_url =
'webmail.php?right_frame='.urldecode($session_expired_location);
+ if ( strpos($session_expired_location, 'compose.php') !== FALSE ) {
+ $compose_new_win = getPref($data_dir, $username,
'compose_new_win', 0);
+ if ($compose_new_win) {
+ $redirect_url = $session_expired_location;
+ } elseif ( strpos($session_expired_location, 'webmail.php') ===
FALSE ) {
+ $redirect_url = 'webmail.php?right_frame=compose.php';
+ }
+ } else {
+ $redirect_url = 'webmail.php?right_frame=' .
urldecode($session_expired_location);
}
unset($session_expired_location);
}
Index: src/webmail.php
===================================================================
RCS file: /cvsroot/squirrelmail/squirrelmail/src/webmail.php,v
retrieving revision 1.92.2.18
diff -u -r1.92.2.18 webmail.php
--- src/webmail.php 2 Jun 2006 15:51:50 -0000 1.92.2.18
+++ src/webmail.php 4 Aug 2006 14:17:19 -0000
@@ -52,10 +52,6 @@
$mailbox = 'INBOX';
}
-if ( isset($_SESSION['session_expired_post']) ) {
- sqsession_unregister('session_expired_post');
-}
-
if(!sqgetGlobalVar('mailto', $mailto)) {
$mailto = '';
}
ADDITIONAL INFORMATION
The information has been provided by James Bercegay of GulfTech Security
Research.
The original article can be found at:
<http://www.squirrelmail.org/security/issue/2006-08-11>
http://www.squirrelmail.org/security/issue/2006-08-11
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] Symantec Backup Exec for Windows Server: RPC Interface Heap Overflow, Authorized User Potential Elevation of Privilege
- Next by Date: [NEWS] Bypassing Script Filters with Variable-Width Encodings
- Previous by thread: [NT] Symantec Backup Exec for Windows Server: RPC Interface Heap Overflow, Authorized User Potential Elevation of Privilege
- Next by thread: [NEWS] Bypassing Script Filters with Variable-Width Encodings
- Index(es):
Relevant Pages
|
