Dailydave mailing list archives
Re: SquirrelMail GPG Plugin vuln
From: Nicob <nicob () nicob net>
Date: Mon, 09 Jul 2007 00:14:11 +0200
Its probably not a good idea to give out so much information about the vulnerabilities. The Squirrelmail GPG Plugin one says its a command injection vulnerability. Shouldn't be too hard to rediscover that.
Version 2.1 of the SquirrelMail GPG Plugin was published yesterday. It blocks an attack vector I found after your mail while quickly grep'ing for dangerous PHP calls. I don't know if this patch killed the auctionned bug, but the funny comment in gpg_check_sign_pgp_mime() is still here. At least, my 2.0 PoC doesn't work anymore on 2.1 ;-)) Giving out some much information was really stupid ... Nicob _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- (no subject) Charles Miller (Jul 06)
- Re: (no subject) Dan Moniz (Jul 06)
- Re: SquirrelMail GPG Plugin vuln Nicob (Jul 08)