|
|
|
|
| |
Credit:
The information has been provided by iDefense Labs Security Advisories.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=555, http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=331, http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=330 and http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=329
|
| |
SquirrelMail G/PGP Plugin gpg_help.php Local File Inclusion Vulnerability
Remote exploitation of a local file inclusion vulnerability in version 2.0 of the SquirrelMail G/PGP Plugin could allow an authenticated webmail user to execute arbitrary PHP code under the security context of the running web server.
Version 2.0 of the SquirrelMail G/PGP Plugin contains an implementation flaw in the way it includes certain files. Specifically, the 'gpg_help.php' and 'gpg_help_base.php' files will include local files that are supplied via the 'help' HTTP GET request parameter. An excerpt from the code follows:
68 // Help body text is inserted here via GET parameter
69 require_once (SM_PATH.'plugins/gpg/help/' . $_GET['help'] );
By using directory traversal specifiers, an attacker can trivially cause files stored on the Web server to be parsed as PHP code.
Analysis:
Exploitation could allow an attacker to include an arbitrary local file on the affected host.
Due to the lack of input validation on $GET_['help'], directory traversal specifiers could be utilized to parse any file on the system as PHP code.
iDefense has confirmed the existence of this vulnerability in version 2.0 of the G/PGP Encryption Plugin for SquirrelMail. It is suspected that earlier versions of the plug-in are also affected.
Vendor response:
The maintainers of the SquirrelMail G/PGP plug-in have not responded to repeated inquires regarding this vulnerability. Versions since gpg.2.1devbuild14Jun07 appear to include a fix for this problem. This problem is not present in the recent 2.1 release made on July 7th, 2007.
CVE Information:
CVE-2006-4169
SquirrelMail G/PGP Plugin gpg_recv_key() Command Injection Vulnerability
Remote exploitation of a command injection vulnerability in the G/PGP Encrpytion Plugin for The SquirrelMail Project Team's SquirrelMail webmail package allows attackers to execute arbitrary commands with the privileges of the underlying web server.
The problem specifically exists within the function gpg_recv_key() defined in gpg_key_functions.php. A call is made to exec() with unfiltered user-supplied data as demonstrated in the following piece of code:
$command = "$path_to_gpg --batch --no-tty --homedir $gpg_key_dir \
--keyserver hkp://$keyserver --recv-key $searchkeyid 2>&1";
[...]
exec($command, $output, $returnval);
The aforementioned '$keyserver' variable is supplied in the POST data to the gpg_options.php script. The attacker must have a valid authenticated session to exploit this vulnerability.
Analysis:
Exploitation of the described vulnerability allows authenticated remote attackers to execute arbitrary commands with the privileges of the underlying web server.
This vulnerability could be exploited by webmail users to gain shell access on the target server and potentially further compromise the system with local privilege escalation vulnerabilities.
Detection:
iDefense has confirmed the existence of this vulnerability in the latest version of the G/PGP Encryption Plugin for SquirrelMail, version 2.1. Furthermore, this vulnerability has been confirmed to exist as early as version 2.0. Other versions may be affected.
Workaround:
Disable the G/PGP Plugin if it is not required. Alternatively, add the following line above the initialization of the '$command' variable just prior to the call to exec():
$keyserver = escapeshellarg($keyserver);
Please note that this is an unofficial source patch, but should be sufficient as a workaround until an official patch is released from the vendor.
Vendor response:
The maintainers of the SquirrelMail G/PGP plug-in have not responded to repeated inquires regarding this vulnerability. As such, it remains unpatched, even in the most current release made on July 7th, 2007.
CVE Information:
CVE-2005-1924
SquirrelMail G/PGP Plugin gpg_check_sign_pgp_mime() Command Injection Vulnerability
Remote exploitation of a command injection vulnerability in the G/PGP Encrpytion Plugin for The SquirrelMail Project Team's SquirrelMail webmail package allows attackers to execute arbitrary commands with the privileges of the underlying web server.
The problem specifically exists within the function gpg_check_sign_pgp_mime() defined in gpg_hook_functions.php. A call is made to exec() with unfiltered user-supplied data as demonstrated in the following piece of code:
$command = "echo -n \"$messageSignedText\" | $path_to_gpg --batch \
--no-tty --homedir $gpg_key_dir --verify ".\
$detachedSignatureFilename."- 2>&1";
if ($debug)
echo "gpg command: ".$command."\";
exec($command, $results, $returnval);
The '$messageSignedText' variable from above contains the stripped e-mail message.
Analysis:
Exploitation of the described vulnerability allows unauthenticated remote attackers to execute arbitrary commands with the privileges of the underlying web server.
Exploitation of this vulnerability occurs when a target webmail user opens a malicious e-mail message. As such the vulnerability can be exploited by any attacker who can convince a target user to open a malicious message.
Detection:
iDefense has confirmed the existence of this vulnerability in version 2.0 of the G/PGP Encryption Plugin for SquirrelMail. It is suspected that earlier versions of the plug-in are also affected.
Workaround:
Disable the G/PGP Plugin if it is not required. Alternatively, add the following line above the initialization of the '$command' variable just prior to the call to exec():
$messageSignedText= escapeshellarg($messageSignedText);
Please note that this is an unofficial source patch, but should be sufficient as a workaround.
Vendor response:
The maintainers of the SquirrelMail G/PGP plug-in have not responded to repeated inquires regarding this vulnerability. Versions since 2.1devbuild12Sep06 appear to include a fix for this problem. This problem is not present in the recent 2.1 release made on July 7th, 2007.
SquirrelMail G/PGP Plugin deleteKey() Command Injection Vulnerability
Remote exploitation of a command injection vulnerability in the G/PGP Encrpytion Plugin for The SquirrelMail Project Team's SquirrelMail webmail package allows attackers to execute arbitrary commands with the privileges of the underlying web server.
The problem specifically exists within the function deleteKey() defined in gpg_keyring.php. A call is made to exec() with unfiltered user-supplied data as demonstrated in the following piece of code:
$command = "$path_to_gpg --batch --no-tty --yes --homedir \
$gpg_key_dir $flag $fpr 2>&1";
exec($command, $output, $returnval);
The deleteKey() routine is called from three files: import_key_file.php, import_key_text.php and keyring_main.php. the '$fpr' variable from above is supplied in the POST data. The attacker must have a valid authenticated session to exploit this vulnerability.
Analysis:
Exploitation of the described vulnerability allows authenticated remote attackers to execute arbitrary commands with the privileges of the underlying web server.
This vulnerability could be exploited by webmail users to gain shell access on the target server and potentially further compromise the system with local privilege escalation vulnerabilities.
Detection:
iDefense has confirmed the existence of this vulnerability in the latest version of the G/PGP Encryption Plugin for SquirrelMail, version 2.1. Furthermore, this vulnerability has been confirmed to exist as early as version 2.0. Other versions may be affected.
Workaround:
Disable the G/PGP Plugin if it is not required. Alternatively, add the following line above the initialization of the '$command' variable just prior to the call to exec():
$fpr = escapeshellarg($fpr);
Please note that this is an unofficial source patch, but should be sufficient as a workaround until an official patch is released from the vendor.
Vendor response:
The maintainers of the SquirrelMail G/PGP plug-in have not responded to repeated inquires regarding this vulnerability. As such, it remains unpatched, even in the most current release made on July 7th, 2007.
CVE Information:
CVE-2005-1924
|
|
|
|
|
