Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: PHP :: web5027.htm

SquirrelMail can be fooled to send spoofed messages and java scripts
25th Jan 2002 [SBWID-5027]

	SquirrelMail can be fooled to send spoofed messages and java scripts


	SquirrelMail < v 1.2.3


	Tom McAdam posted :

	The  compose.php  script  allows  parameters  to  be  passed  as   GETs.
	Therefore including the following in an HTML mail will  send  a  message




	The read_body.php script does not check  HTML  tags  for  javascript.  A
	trivial example:

	<img src=\"javascript:alert(\'Oh dear\')\">



	\"appelast\" added :

	One of the plugins has a very  interesting  piece  of  code,  from  file
	check_me.mod.php :

	$sqspell_command = $SQSPELL_APP[$sqspell_use_app];


	$floc = \"$attachment_dir/$username_sqspell_data.txt\");


	exec (\"cat $floc | $sqspell_command\", $sqspell_output);


	Everything should be ok, but where  this  page  includes  config  files,
	where are defined $attachment_dir and others ? Answer: Nowhere.  We  can
	set up variables $sqspell_command and $floc. Result  ?  We  can  execute
	any command of course as a http serwer owner.

	Exploit :





	Here is the fix for  the  arbitrary  remote  execution  with  httpd-user
	rights.  Place  this  file  in  the   squirrelmail/plugins/squirrelspell
	directory and execute it to fix the vulnerability.

	--- begin ---


	sed \"s/.mod.php/.mod/g\" sqspell_interface.php > tmp.1

	sed \"s/.mod.php/.mod/g\" sqspell_options.php > tmp.2

	mv -f tmp.1 sqspell_interface.php

	mv -f tmp.2 sqspell_options.php

	cd modules

	for FILE in *.mod.php; do 

	        NEWFILE=`echo $FILE | sed \'s/.php//\'`

	        mv $FILE $NEWFILE


	--- end ---


	squirrelmail-1.2.4 will contain all fixes

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH