SecurityTracker.com Archives - SquirrelMail Include File Bug May Let Remote Users Access Files on the Target System

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (E-mail Server) > SquirrelMail

Vendors: SquirrelMail Development Team

SquirrelMail Include File Bug May Let Remote Users Access Files on the Target System

SecurityTracker Alert ID: 1016209

SecurityTracker URL: http://securitytracker.com/id?1016209

CVE Reference: CVE-2006-2842 (Links to External Site)

OSVDB Reference: 25973 (Links to External Site)

Updated: Jul 3 2006

Original Entry Date: Jun 2 2006

Impact: Disclosure of system information, Disclosure of user information

Fix Available: Yes Exploit Included: Yes Vendor Confirmed: Yes

Version(s): 1.4.6 and prior versions

Description: A vulnerability was reported in SquirrelMail. A remote user can include and view files on the target system.

The 'functions/plugin.php' script does not properly validate user-supplied input in the 'name' parameter. If register_globals is enabled and magic_quotes_gpc is disabled, a remote user can supply a specially crafted URL to cause the target system to include files from the target system. This may allow the remote user to view the contents of the file.

A demonstration exploit URL is provided:

http://[target]/[squirrelmail dir]/src/redirect.php?plugins[]=../../../../etc/passwd%00

The vendor credits Junker Broke of Denix Solutions with reporting this vulnerability.

Impact: A remote user may be able to view files on the target system.

Solution: The vendor has issued a patch.

The SquirrelMail advisory is available at:

http://www.squirrelmail.org/security/issue/2006-06-01

Vendor URL: www.squirrelmail.org/security/issue/2006-06-01 (Links to External Site)

Cause: Access control error, Input validation error

Underlying OS: Linux (Any), UNIX (Any), Windows (Any)

Reported By: brokejunker@yahoo.com

Message History: This archive entry has one or more follow-up message(s) listed below.

Jul 3 2006

(Red Hat Issues Fix) SquirrelMail Include File Bug May Let Remote Users Access Files on the Target System (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Enterprise Linux 3 and 4.

Source Message Contents

Date: Thu, 01 Jun 2006 00:50:15 +0000
From: brokejunker@yahoo.com
Subject: Squirrelmail local file inclusion

 
Squirrelmail local file inclusion bug in functions/plugin.php .

Tested on the latest 1.4.x version.

No authentication needed.


if (isset($plugins) && is_array($plugins)) {

    foreach ($plugins as $name) {

        use_plugin($name);

    }

...

function use_plugin ($name) {

    if (file_exists(SM_PATH . "plugins/$name/setup.php")) {

        include_once(SM_PATH . "plugins/$name/setup.php");

        $function = "squirrelmail_plugin_init_$name";

        if (function_exists($function)) {

            $function();

        }

    }

 

....


If register_globals is on we can control the $name variable.


In order to avoid errors SM_PATH needs to be defined. Exploitation

is done through src/redirect.php ( it includes functions/plugin.php

prior to authentication and it defines SM_PATH ).


magic_quotes_gpc needs to be off.



Example:

http://[host]/[squirrelmail dir]/src/redirect.php?plugins[]=../../../../etc/passwd%00



Denix Solutions

Unix/Linux Solutions for your Business

http://www.denixsolutions.com

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2006, SecurityGlobal.net LLC