('binary' encoding is not supported, stored as-is) In-Reply-To: <1176.213.134.140.130.1011887757.squirrelat_private> Squirrelspell v0.3.1 is know to be affected, vulnerability of other versions is unknown. The buggy code (extraction): --------------------- // Define the command used to spellcheck the document. $sqspell_command=$SQSPELL_APP [$sqspell_use_app]; // For the simplicity's sake we'll put all text into a file // in attachment_dir directory, then cat it and pipe it to sqspell_command. // There are other ways to do it, including popen(), but it's unidirectional // and no fun at all. // NOTE: This will probably change in future releases of squirrelspell // for privacy reasons. // $floc = "$attachment_dir/ $username" . "_sqspell_data.txt"; $fp=fopen($floc, "w"); fwrite($fp, $sqspell_new_text); fclose($fp); exec("cat $floc | $sqspell_command", $sqspell_output); unlink($floc); --------------------- Seems to me one could insert commands in $attachment_dir, $username_sqspell_data and $SQSPELL_APP[$sqspell_use_app]. Nevermind the other variables; any file I/O errors do NOT stop the exec() from being executed. (This goes for the "Fatal error: Call to undefined function: sqspell_getlang() in [xxx]/plugins/squirrelspell/modules/check_me.mod.ph p on line 59" too.) Squirrelmail normally is configured to run as user "nobody" which is pretty safe but not perfect (so I'm told) On a normal installation, squirrelmail should only have write access to /tmp and /[squirrelmail- installation-path]/data. About read access I'm not sure, it probably doesn't have much rights there too. The installation manual tells user they SHOULD make /data inaccessable through you httpd, let's hope they did. I'm not a linux security expert but having access as "nobody" to the server doesn't strike me as a BIG vulnerability. Having access to the squirrelmail "data" directory might be a whole different story. SkyLined PS. *.tudelft.nl is mostly unreachable pending a fix in the nameserver, any mail replies might thus bounce, please try again later. More (recently updated) info & online exploit can be found at http://130.161.89.229/skylined? squirrelmail.html) http://spoor12.edup.tudelft.nl/skylined (=130.161.89.229 untill the nameserver's fixed)
This archive was generated by hypermail 2b30 : Tue Feb 05 2002 - 09:21:08 PST