SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   SquirrelMail Vendors:   SquirrelMail Development Team
SquirrelMail Include File Bug May Let Remote Users Access Files on the Target System
SecurityTracker Alert ID:  1016209
SecurityTracker URL:  http://securitytracker.com/id/1016209
CVE Reference:   CVE-2006-2842   (Links to External Site)
Updated:  Jul 3 2006
Original Entry Date:  Jun 2 2006
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.4.6 and prior versions
Description:   A vulnerability was reported in SquirrelMail. A remote user can include and view files on the target system.

The 'functions/plugin.php' script does not properly validate user-supplied input in the 'name' parameter. If register_globals is enabled and magic_quotes_gpc is disabled, a remote user can supply a specially crafted URL to cause the target system to include files from the target system. This may allow the remote user to view the contents of the file.

A demonstration exploit URL is provided:

http://[target]/[squirrelmail dir]/src/redirect.php?plugins[]=../../../../etc/passwd%00

The vendor credits Junker Broke of Denix Solutions with reporting this vulnerability.

Impact:   A remote user may be able to view files on the target system.
Solution:   The vendor has issued a patch.

The SquirrelMail advisory is available at:

http://www.squirrelmail.org/security/issue/2006-06-01

Vendor URL:  www.squirrelmail.org/security/issue/2006-06-01 (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jul 3 2006 (Red Hat Issues Fix) SquirrelMail Include File Bug May Let Remote Users Access Files on the Target System
Red Hat has released a fix for Red Hat Enterprise Linux 3 and 4.



 Source Message Contents

Subject:  Squirrelmail local file inclusion

Squirrelmail local file inclusion bug in functions/plugin.php .

Tested on the latest 1.4.x version.

No authentication needed.


if (isset($plugins) && is_array($plugins)) {

    foreach ($plugins as $name) {

        use_plugin($name);

    }

...

function use_plugin ($name) {

    if (file_exists(SM_PATH . "plugins/$name/setup.php")) {

        include_once(SM_PATH . "plugins/$name/setup.php");

        $function = "squirrelmail_plugin_init_$name";

        if (function_exists($function)) {

            $function();

        }

    }

}

....


If register_globals is on we can control the $name variable.


In order to avoid errors SM_PATH needs to be defined. Exploitation

is done through src/redirect.php ( it includes functions/plugin.php

prior to authentication and it defines SM_PATH ).


magic_quotes_gpc needs to be off.



Example:

http://[host]/[squirrelmail dir]/src/redirect.php?plugins[]=../../../../etc/passwd%00



Denix Solutions

Unix/Linux Solutions for your Business

http://www.denixsolutions.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC