Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SquirrelMail GPG Plugin vuln

From: Stefan Esser <stefan.esser () sektioneins de>
Date: Mon, 09 Jul 2007 09:26:56 +0200
Version 2.1 of the SquirrelMail GPG Plugin was published yesterday. It
blocks an attack vector I found after your mail while quickly grep'ing
for dangerous PHP calls.


Version 2.1 of the plugin contains several more shell command execution 
vulnerabilities and the vendor is aware of this.

And yes grepping for a few dangerous PHP calls is not that hard and you
will sooner or later find these bugs. However to quote Halvar: 
"Auditing is not supergrep. "

The real challenge with the SquirrelMail GPG Plugin vulnerabilties is not 
to find them after you got a hint that they exist. The challenge is to find
out that (and how) you can launch them (at least some of them) PRE-AUTH.

I really wonder if the auctionned bug is pre-auth or post-auth. I guess the
later because otherwise they would have mentioned it.


Giving out some much information was really stupid ...


Isn't that always the point when you sell a vulnerability in an open source
software? If I want to sell you a lighttpd remote exploit and you trust me 
than you know that such a thing exists and you will most probably invest
more time in finding it yourself. The knowledge that something exploitable
really exists is a good motivation to find it.

Stefan


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: