Invalid SquirrelMail Exploit

From: Jonathan Angliss (jon_at_squirrelmail.org)
Date: 06/23/03

  • Next message: Lorenzo Manuel Hernandez Garcia-Hierro: "Sambar Server : Crashing service with search.pl"
    Date: Mon, 23 Jun 2003 15:26:07 -0500
    To: bugtraq@securityfocus.com
    
    

    Hi,

    I'm writing to correct a fatal reporting that was posted to one of the
    security focus mailing lists about SquirrelMail. It discusses files
    being accessible via the SquirrelMail website, and criticizes
    SquirrelMail to be at fault. The details for the exploit can be seen
    on the bugtraq website [1].

    Fortunately it is an invalid accusation. Even minor exploration would
    point the issue to the imap server itself. I'd like to draw peoples
    attention to the University of Washington's IMAP FAQ page [1], it
    clearly describes details on accessing /etc/passwd as detailed in the
    bugtraq item that was submitted.

    I'd be grateful if that portion of the ticket was revoked as invalid,
    as any testing performed with other IMAP servers such as Courier-IMAP,
    or Cyrus all return no mailboxes.

    The file moving/deletion vulnerability would also appear to be an IMAP
    dependant issue, as you cannot access arbitrary files from other IMAP
    servers, as other IMAP servers don't appear to treat all files
    equally.

    I am currently looking into the privilege escalation 'issue' that was
    also posted as part of the bug.

    Please note in future that any security related issues can be posted
    to any member of the SquirrelMail leadership team [2], or any of the
    mailing lists. We also have a dedicated mailing address for security
    alerts at security@squirrelmail.org.

      [1] http://www.securityfocus.com/bid/7952
      [2] http://www.washington.edu/imap/IMAP-FAQs/index.html#5.1
      [3] http://www.squirrelmail.org/about.php

    -- 
    Jonathan Angliss
    (jon@squirrelmail.org)
    

  • Next message: Lorenzo Manuel Hernandez Garcia-Hierro: "Sambar Server : Crashing service with search.pl"

    Relevant Pages