what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

squirrel145.txt

squirrel145.txt
Posted Jul 15, 2005
Authored by James Bercegay | Site gulftech.org

SquirrelMail versions 1.4.5-RC1 and below suffer from a variable overwriting flaw that can lead to further security issues.

tags | advisory
SHA-256 | dd93dad744255baae13b5e7d772f48087ad64980f12a51f292bbf9ebbc089175

squirrel145.txt

Change Mirror Download
##########################################################
# GulfTech Security Research July 14th, 2005
##########################################################
# Vendor : The SquirrelMail Project Team
# URL : http://www.squirrelmail.org/
# Version : SquirrelMail 1.4.5-RC1 && Earlier
# Risk : Variable Overwriting
##########################################################



Description:
SquirrelMail is a standards-based webmail package written in php. It
includes built-in pure PHP support for the IMAP and SMTP protocols.
Unfortunately there is a fairly serious variable handling issue in one
of the core SquirrelMail scripts that can allow an attacker to take
control of variables used within the script, and influence functions
and actions within the script. An updated version of SquirrelMail can
be downloaded from their official website. Users are advised to update
their SquirrelMail installations as soon as possible.



Variable Overwriting:
There is a fairly serious variable overwriting vulnerability in one
of the core SquirrelMail scripts. The vulnerable script makes use of
an extract() call in a careless manner, thus allowing us to overwrite
any variables declared before the fault extract call is made. Let's
have a look at /src/options_identities.php

/**
* Path for SquirrelMail required files.
* @ignore
*/
define('SM_PATH','../');

/* SquirrelMail required files. */
require_once(SM_PATH . 'include/validate.php');
require_once(SM_PATH . 'functions/global.php');
require_once(SM_PATH . 'functions/display_messages.php');
require_once(SM_PATH . 'functions/html.php');

/* POST data var names are dynamic because
of the possible multiple idents so lets get
them all
*/

if (!empty($_POST)) {
extract($_POST);
}

As we can see from the above block of code, the careless extract()
call is made after a majority of the important variables used in
the application are loaded, thus making them vulnerable to being
easily overwritten. In short, by submitting the variable(s) of the
attackers choosing a malicious user could easily influence many
important variables, and function calls.



Solution:
Thanks to Jonathan Angliss and the SquirrelMail team for a prompt
resolution to this vulnerability. In regards to the updated files

http://www.squirrelmail.org/download.php

The latest version of SquirrelMail 1.4.5 can be downloaded from the
link above, and users are advised to upgrade as soon as possible.



Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00090-07142005



Credits:
James Bercegay of the GulfTech Security Research Team
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close