AOH :: HP Unsorted S :: TB10820.HTM

squirrelmail CSRF vulnerability



squirrelmail CSRF vulnerability
squirrelmail CSRF vulnerability




I. BACKGROUND

SquirrelMail is a standards-based webmail package written in PHP.
It includes built-in pure PHP support for the IMAP and SMTP protocols,
and all pages render in pure HTML 4.0 (with no JavaScript required) 
for maximum compatibility across browsers. It has very few requirements
and is very easy to configure and install. SquirrelMail has all the 
functionality you would want from an email client, including strong MIME
support, address books, and folder manipulation.

II. DESCRIPTION

Squirrel Mail application is vulnerable to Cross Site Request Forgery (CSRF)
vulnerability.

A remote user can perform all the legitimate actions which a normal user can
perform after a logged-in.

This attack is launched because squirrel mail application doesn't have secondary
authentication for actions. That is, application authenticates the request based
on cookie present in it. It does not have any session token which will identify
request as legitimate or not.

Assumption:

* The attacker has knowledge of sites the victim has current authentication on
* The attacker's "target site" has persistent authentication cookies, or the victim
  has a current session cookie

III. ANALYSIS

Successful exploitation of this vulnerability would allow an attacker to perform all the action
which a legitimate user can do. For example,
1. Send an E-Mail on behalf of victim.
2. Delete an E-Mail from victim's account.
3. Add a new contact into address book.
4. Create a new folder into victim's account.
5. Change the options/settings of victim's account.
6. Sign Out the victim from current session.

IV. DETECTION

Latest version of squirrel mail 1.4.8-4.fc6 and prior are found vulnerable.

V. WORKAROUND

I.  Application should check for Referer Header in every post login request.

II. Application should use CSRF token which is random enough to identify every legitimate post login request.

VI. VENDOR RESPONSE
??

VII. CVE INFORMATION
??

VIII. DISCLOSURE TIMELINE

05/02/2007 Initial vendor notification

??/??/??Initial vendor response

??/??/??Coordinated public disclosure

IX. CREDIT

Avinash Shenoi (savinash@cenzic.com) 
Vivek Relan (vivek@cenzic.com) 
Cenzic Inc.

X. REFERENCES

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1648 

XI. LEGAL NOTICES

Copyright =A9 

Permission is granted for the redistribution of this alert electronically. It may not be edited 
in any way without the express written consent of Cenzic. If you wish to reprint the whole or 
any part of this alert in any other medium other than electronically, please email for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing
based on currently available information. Use of the information constitutes acceptance for use 
in an AS IS condition. There are no warranties with regard to this information. Neither the author
nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage 
arising from use of, or reliance on, this information.


The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.