AOH :: HP Unsorted S :: BX1003.HTM

Squirrelmail Two vulnerabilities in SquirrelMail GPG plugin



Two vulnerabilities in SquirrelMail GPG plugin
Two vulnerabilities in SquirrelMail GPG plugin



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Site address: http://www.braverock.com/gpg 
SquirrelMail plugin page: http://www.squirrelmail.org/plugin_view.php?id=153 

1 issue - Deletion of files writable by web server user

SquirrelMail GPG plugin allows end users to delete or overwrite files
writable by web server user. In default SquirrelMail 1.4.3-1.4.8 setups
end users can delete stored user preferences and address books without
any complex hacks. Default SquirrelMail 1.4.9+ setups and custom rpm or
deb packages are still vulnerable to relative path attacks, because
location of attachment and data directories is known to attacker.

Upstream was notified about vulnerability on 2007-09-24. Patch was
provided on 2007-10-01. I haven't received any response and don't see
fixes in current (2007-12-09) gpg plugin snapshots.

Affected versions: 2.0, 2.0.1 and 2.1
Fix: http://www.topolis.lt/bugtraq/gpg_encrypt.php.diff.gz 

2 issue - Unsanitized display of public keys

SquirrelMail GPG plugin does not sanitize imported public key
information. It allows attacker to inject custom html tags in
SquirrelMail message display.

Upstream was notified about vulnerability (with fix) on 2007-10-15. I
haven't received any response and don't see fixes in current
(2007-12-09) gpg plugin snapshots.

Affected versions: 2.0, 2.0.1 and 2.1
Fix: http://www.topolis.lt/bugtraq/gpg_hook_functions.php.diff.gz 
POC exploit: http://www.topolis.lt/bugtraq/gpg-unsanitized-js-poc.eml.gz 

- --
Tomas Kuliavas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHW+//aYoxl8XwnvYRAjmwAJ0SH7OBb6VRrpmwwY3JY9bmMWN95ACgun5W
JV6Gdv4JD3ngLSXfLYw3poc=ajUp
-----END PGP SIGNATURE-----

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.