SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   SquirrelMail Vendors:   SquirrelMail Development Team
(Vendor Issues Patch) Re: SquirrelMail Lets Remote Users Execute Arbitrary Commands By Appending Cookie-based Commands to the $THEME Variable
SecurityTracker Alert ID:  1003953
SecurityTracker URL:  http://securitytracker.com/id/1003953
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 3 2002
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.2.5
Description:   A vulnerability was reported in the SquirrelMail web-based mail server. An authenticated remote user can cause arbitrary commands to be executed on the server.

It is reported that a valid and authenticated remote user can append $THEME variable with user-supplied commands via cookies.

A demonstration exploit is provided in the Source Message.

Impact:   A valid and authenticated remote user can execute arbitrary commands on the server with the privileges of the web server.
Solution:   The vendor has fixed the code in the current CVS and plans to issue a fixed version (1.2.6) shortly. The vendor has also supplied a patch, available in the Source Message.
Vendor URL:  www.squirrelmail.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Mar 29 2002 SquirrelMail Lets Remote Users Execute Arbitrary Commands By Appending Cookie-based Commands to the $THEME Variable



 Source Message Contents

Subject:  Re: squirrelmail 1.2.5 email user can execute command


--=-+1+XncOIM50/DjGH2qZC
Content-Type: text/plain
Content-Transfer-Encoding: 8bit            

On Wed, 2002-03-27 at 20:16, pokleyzz sakamaniaka wrote:
> email user  can append $THEME variable through 
> cookies

This is very obscure and is limited only to valid users within your
squirrelmail application (e.g. the person has to have a valid login in
order to exploit this vulnerability). The problem is fixed in the
current CVS and will be out with Squirrelmail-1.2.6. Here is the fix,
should you want to apply it, or just wait till the next release, since
this is not a high-risk vulnerability.

Regards,
Konstantin Riabitsev,
Squirrelmail Bugmaster

hotfix:

--- validate.php.orig	Sun Mar 31 16:15:52 2002
+++ validate.php	Fri Mar 29 00:28:05 2002
@@ -61,6 +61,15 @@
 * Include them down here instead of at the top so that all config
 * variables overwrite any passed in variables (for security).
 */
+
+/**
+ * Reset the $theme() array in case a value was passed via a cookie.
+ * This is until theming is rewritten.
+ */
+global $theme;
+unset($theme);
+$theme=array();
+
 require_once('../config/config.php');
 require_once('../src/load_prefs.php');
 require_once('../functions/page_header.php');


--=-+1+XncOIM50/DjGH2qZC
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEABECAAYFAjynfeQACgkQlVxa81EWb4gE1QCgpONxpVYV4wUlyeVfnyzFe0Du
Q4UAoIHReLLgq9UPLZx2+bhUe4RIxLQh
=hBLY
-----END PGP SIGNATURE-----

--=-+1+XncOIM50/DjGH2qZC--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC