Re: squirrelmail bug

From: Adam Herscher (adam@xtime.com)
Date: 01/24/02 

Date: Thu, 24 Jan 2002 13:31:26 -0800 (PST)
From: Adam Herscher <adam@xtime.com>
To: appelast@bsquad.sm.pl

I'm unable to repro on squirrelmail 1.2.2 + openbsd 2.9:

Fatal error: Call to undefined function: sqspell_getlang() in
/usr/local/www/htdocs/www2.axisproductions.com/webmail/plugins/squirrelspell/modules/check_me.mod.php
on line 59

I'm also curious how much notice this person gave to the Squirrelmail
development team to prepare a fix before releasing it to the world.. (same
thought applies to the random cross-scripting vulnerability just sent out
3 seconds ago)

On anothre note Squirrelmail 1.2.3 was released 01/21/02.. I was wondering
if anyone has had the opportunity to test against it. This specific issue
doesn't seem to have been noted in the changelog:

http://www.squirrelmail.org/changelog.php

Attempted to contact off-list earlier, but it seems the sender's mx is
having problems.

<appelast@bsquad.sm.pl>:
213.134.128.227 does not like recipient.
Remote host said: 550 5.7.1 <appelast@bsquad.sm.pl>... Relaying denied
Giving up on 213.134.128.227.

On Thu, 24 Jan 2002 appelast@bsquad.sm.pl wrote:

>
> Squirrelmail remote execute commands bug
>
> Version Affected :
> 1.2.2
>
> Squirrelmail is a webmail system, which allows users to send, get, read
> etc.
> mails. It has some themes, plugins etc. One of the plugins has a very
> interesting piece of code :
>
> from file check_me.mod.php :
>
> $sqspell_command = $SQSPELL_APP[$sqspell_use_app];
> ...
> $floc = "$attachment_dir/$username_sqspell_data.txt");
> ...
> exec ("cat $floc | $sqspell_command", $sqspell_output);
>
>
> Everything should be ok, but where this page includes config files,
> where
> are defined $attachment_dir and others ? Answer: Nowhere. We can set up
> variables $sqspell_command and $floc. Result ? We can execute any
> command
> of course as a http serwer owner.
>
> Exploit :
>
> host/plugins/squirrelspell/modules/check_me.mod.php?SQSPELL_APP[blah]=wa
> ll%
> 20hello&sqspell_use_app=blah&attachment_dir=/tmp&username_sqspell_data=p
> lik
>
> <appelast@bsquad.sm.pl>
>
>

Relevant Pages

  • A squirrelmail problem in fc9
    ... I just installed fc9 linux. ... the squirrelamil plugins change_passwd does not work. ... in squirrelmail user group, but did not get any reply. ... # chown root:apache chpasswd ...
    (Fedora)
  • squirrelmail bug
    ... Squirrelmail remote execute commands bug ... It has some themes, plugins etc. ... Everything should be ok, but where this page includes config files, where ...
    (Bugtraq)
  • Re: Really good Web Mail Software (IMAP)
    ... The nicest thing about Squirrelmail is that the ... > core product is 100% HTML, clean and simple but there's a ton of plugins ... I use Squirrelmail exclusively for WebMail and the plugins are ...
    (Fedora)
  • Re: Howto package squirrelmail plugins the Debian way (Was Re: Sieve client)
    ... > To install any plugin you have to download the tarball and detar the package into ... > I guess new updates of squirrelmail will break the plugins installed manually. ... > My question now is how I could package the plugins the Debian way? ...
    (Debian-User)
  • Re: Howto package squirrelmail plugins the Debian way (Was Re: Sieve client)
    ... I guess new updates of squirrelmail will break the plugins installed manually. ... My question now is how I could package the plugins the Debian way? ... even if you'd install all known plugins it would use only a small amount of diskspace. ...
    (Debian-User)