The mail message display page in SquirrelMail through 1.4.22 has XSS via a " Personal Informations > Email Address" setting.Ĭross-site request forgery (CSRF) vulnerability in compose.php in SquirrelMail 1.4.0 through 1.4.9a allows remote attackers to send e-mails from arbitrary users via certain data in the SRC attribute of an IMG element. Squirrelmail 4.0 uses the outdated MD5 hash algorithm for passwords. NOTE: the vendor disputes this because these two conditions for PHP object injection are not satisfied: existence of a PHP magic method (such as _wakeup or _destruct), and any attack-relevant classes must be declared before unserialize is called (or must be autoloaded).Ĭompose.php in SquirrelMail 1.4.22 calls unserialize for the $mailtodata value, which originates from an HTTP GET request. For more discussions on disclosures I would like to refer to Another Perspective in Vulnerability Disclosure, Sending Mixed Signals and Reflections on Vulnerability Disclosure.** DISPUTED ** compose.php in SquirrelMail 1.4.22 calls unserialize for the $attachments value, which originates from an HTTP POST request. As this issue is post-authentication, we assume that the resulting damage from this full disclosure will likely be restricted. This is why we decided to fully disclose this issue. We have since tried to reach out via additional mails and Twitter and have received no response. We communicated this issue to Squirrelmail on. Why did you go full disclosure with this? The file delete works in the same fashion. The file will be attached to a mail and can be easily extracted by the attacker. The resulting call to fopen contains the attacker supplied path traversal, referencing an arbitrary file. The reference to $message->att_local_name in line 284 is controlled by the attacker. One vulnerable code path ends up in the line 284:Ģ84 $filename = $message->att_local_name Ģ94 $file_has_long_lines = file_has_long_lines($hashed_attachment_dirĢ97 $file = fopen ($hashed_attachment_dir. The attacker fully controls that parameter and can set it to arbitrary values. The parameter supplied by the attacker will be unserialized by the application and it contains the path to the temporary file that is supposed to be attached. An attacker can use a path traversal to reference arbitrary files from the target server getting attached to a mail. There is an arbitrary read of files due to missing sanitization of user supplied input. What are the technical details for this vulnerability? We checked the latest development version, which is 1.5.2-svn and the latest version available for download at this point of time, 1.4.22. Likely yes, if you are using Squirrelmail. 4, to their IMAP servers via Squirrelmail, whilst using different authentication and authorization. That means an attacker would need valid credentials for the application to log in or needs to exploit an additional vulnerability of which we are not aware of at this point of time.Īn attacker would also be able to delete files on the system, if the user running the application has the rights to do so. This may include configuration files, log files and additionally all files that are readable for all users on the system. What is the punchline, what do I need to know?Īn attacker able to exploit this vulnerability can extract files of the server the application is running on. This is a short Q&A to answer the most common questions about the issue to calm you all down a little bit. Birk an me basically fully disclosed a 0day in Squirrelmail yesterday.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |