Dailydave mailing list archives
Re: SquirrelMail GPG Plugin vuln
From: Stefan Esser <stefan.esser () sektioneins de>
Date: Mon, 09 Jul 2007 09:26:56 +0200
Version 2.1 of the SquirrelMail GPG Plugin was published yesterday. It blocks an attack vector I found after your mail while quickly grep'ing for dangerous PHP calls.
Version 2.1 of the plugin contains several more shell command execution vulnerabilities and the vendor is aware of this. And yes grepping for a few dangerous PHP calls is not that hard and you will sooner or later find these bugs. However to quote Halvar: "Auditing is not supergrep. " The real challenge with the SquirrelMail GPG Plugin vulnerabilties is not to find them after you got a hint that they exist. The challenge is to find out that (and how) you can launch them (at least some of them) PRE-AUTH. I really wonder if the auctionned bug is pre-auth or post-auth. I guess the later because otherwise they would have mentioned it.
Giving out some much information was really stupid ...
Isn't that always the point when you sell a vulnerability in an open source software? If I want to sell you a lighttpd remote exploit and you trust me than you know that such a thing exists and you will most probably invest more time in finding it yourself. The knowledge that something exploitable really exists is a good motivation to find it. Stefan _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: SquirrelMail GPG Plugin vuln Stefan Esser (Jul 09)
- Re: SquirrelMail GPG Plugin vuln Charles Miller (Jul 09)
- Re: SquirrelMail GPG Plugin vuln Nicob (Jul 09)
- Re: SquirrelMail GPG Plugin vuln James Matthews (Jul 09)
- Re: SquirrelMail GPG Plugin vuln bob jones (Jul 09)
- Re: SquirrelMail GPG Plugin vuln Nicolas RUFF (Jul 17)
- Re: SquirrelMail GPG Plugin vuln Nicob (Jul 09)
- Re: SquirrelMail GPG Plugin vuln Charles Miller (Jul 09)