All the listed exploits have been fixed in the recently released 1.2.8
version of SquirrelMail. These fixes have also been applied to the
current development and stable CVS, 1.3.2 and 1.2.9 respectively
Since Raju recieves digest I am posting this for the benefit of SquirrelMail
Users :-) .
Tarun Dua
> [Unconfirmed vulnerability in SquirrelMail. New packages should be
> coming out soon if this is the real thing. In the meantime you may
> like to disable or check your installation -- Raju]
>
> This is an RFC 1153 digest.
> (1 message)
> ----------------------------------------------------------------------
>
> Message-ID: <000301c26021$9328b120$[EMAIL PROTECTED]>
> From: "DarC KonQuesT" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Subject: Squirrel Mail 1.2.7 XSS Exploit
> Date: Thu, 19 Sep 2002 16:14:28 -0500
>
> ****Sorry if you receive two of these.****
>
> DarC KonQuesT XSS Release-
>
> Product: Squirrel Mail 1.2.7 - released June 21, 2002 (tested, others
> possibly vulnerable)
> Vendor: Squirrel Mail - Web: www.squirrelmail.org
> Problem: Cross Site Scripting
> Severity: Moderate
> Operating System(s): Tested against Red Hat 7.3, all others vulnerable if
> they are using this version of Squirrel.
>
> Discovered: August 4, 2002
> Vendor Notified: um...now?
> Public Release: Now - September 10
>
> Background:
> Squirrel Mail is a webmail daemon that provides a HTTP mail interface
using
> PHP.
>
> Release Notes:
> I **DID NOT** notify the developers (until now) because I am a lazy
SoB
> and my motivation is lacking (free lance, unpaid, bored guy). I kept
putting
> it off (notice discovery date and the release now) and now they've
released
> several newer versions (most recently 1.3.1), which I have not tested.
> Because of the release(S) of the new versions and due to my gross
> slothfulness, I've decided to do a direct public release. Also, for those
of
> you who know PHP, you should be able to fix this problem without much
> trouble. Apologies to those who feel like they're getting screwed over by
> this.
>
> Problem:
> User input is not sanitized so execution of arbitrary code on a client
> computer is possible through a Cross Site Scripting (XSS) hole while the
> code executes under the domain of the site which the webmail is hosted at.
> Similar holes exist in the following utilized scripts:
> addressbook.php
> options.php
> search.php
> help.php
>
> _MAIN_ Exploit:
> The XSS hole I developed the most is in addressbook.php. I was able to
> inject and execute javascript code and after opening the addressbook page
> there was no indication that I had changed anything (after entering the
HTML
> comment tags to get rid of some hanging code that my javascript had made
> text).
>
> The URL I crafted for the exploit is as follows:
>
> http://<VULNERABLE
>
SITE>.net/webmail/src/addressbook.php?"><script>alert(document.cookie)</scri
> pt><!--
>
> If you execute the code without the HTML comment tag on the end it leaves
a
> nasty hanging bit of HTML code which is a clear indication that something
> has gone awry to many users (however some may ignore it as they don't
> understand it).
>
> _OTHER_ Holes:
>
> 1) This will reveal the path to PHP directory and other...maybe
interesting
> to someone, I didn't really care but decided to include it. The problem is
> in options.php.
>
> http://<VULNERABLE
> SITE>.net/webmail/src/options.php?optpage=<script>alert('boop!')</script>
>
> it returns the following on the page for the server I tested:
> Fatal error: Failed opening required ''
> (include_path='.:/php/includes:/usr/share/php') in
> /var/www/squirrelmail/src/options.php on line 172
>
> 2) This is a XSS hole in search.php:
>
> http://<VULNERABLE
>
SITE>.net/webmail/src/search.php?mailbox=<script>alert('boop!')</script>&wha
> t=x&where=BODY&submit=Search
>
> 3) Another in search.php
>
> http://<VULNERABLE
>
SITE>.net/webmail/src/search.php?mailbox=INBOX&what=x&where=<script>alert('b
> oop!')</script>&submit=Search
>
> 4) XSS in help.php:
>
> http://<VULNERABLE
> SITE>.net/webmail/src/help.php?chapter=<script>alert('boop!')</script>
>
> 5) XSS in addressbook (different):
> Manually entered nicks, email addresses, first names, last names, and
> info sections in the addressbook are not filtered so script can be placed
> and executed through them the next time the page is viewed.
>
> Vendor Action:
> I didn't notify....yeah yeah I know....
>
> Aftermath:
> It seems to me this has all the normal dangers of a XSS hole so
listing
> them seems pointless (I'm sure we've all seen them). If someone expands
this
> idea to include other/larger possibilites I'd be interested in hearing
about
> it.
> FINAL UPDATE - 9/10/02 I found what I believe is the main developer or
head
> guy's email address so I'm direct mailing him too. Maybe he can tell us if
> the newer versions are fixed.
>
> (---There was a section here about a quote from their page --Revision=
> Konstantin ("Icon") Riabitsev informed me that MagicHTML has nothing to do
> with this but with the protection of email viewed in HTML form...seriously
> helliphino I didn't bother to look it up. Thanks for the correction.--)
>
> Later on, and have fun,
>
> - DarC KonQuesT -(DiR)-
> Ringleader - DarC Horizons
> United States of America
>
> Greets:
> DarCLinG, V3ga, st3v3, Jenn, Christina, John (heh, you're next)
>
> "Congress shall make no law abridging the freedom of sXXXch, or the right
of
> the people peaceably to XXXemble, and to peXXXion the government for a
> redress of grievances." -- Marc Rotenberg
>
>
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.377 / Virus Database: 211 - Release Date: 7/15/02
>
>
>
> ------------------------------
>
> End of this Digest
> ******************
================================================
To unsubscribe, send email to [EMAIL PROTECTED] with unsubscribe in subject
header. Check archives at http://www.mail-archive.com/ilugd%40wpaa.org
