Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

squirrelmail: squirrelspell plugin check_me.mod.php bug

From: <skylined () edup tudelft nl>
Date: 4 Feb 2002 15:02:02 -0000

In-Reply-To: <1176.213.134.140.130.1011887757.squirrel () mail bsquad sm pl>

Squirrelspell v0.3.1 is know to be affected, 
vulnerability of other versions is unknown.

The buggy code (extraction):
---------------------
// Define the command used to spellcheck the 
document.
$sqspell_command=$SQSPELL_APP
[$sqspell_use_app];
// For the simplicity's sake we'll put all text into a file
// in attachment_dir directory, then cat it and pipe it to 
sqspell_command.
// There are other ways to do it, including popen(), but 
it's unidirectional
// and no fun at all.
// NOTE: This will probably change in future releases 
of squirrelspell
// for privacy reasons.
//
$floc = "$attachment_dir/
$username" . "_sqspell_data.txt";
$fp=fopen($floc, "w");
fwrite($fp, $sqspell_new_text);
fclose($fp);
exec("cat $floc | $sqspell_command", 
$sqspell_output);
unlink($floc);
---------------------
Seems to me one could insert commands in  
$attachment_dir, $username_sqspell_data and 
$SQSPELL_APP[$sqspell_use_app]. Nevermind the 
other variables; any file I/O errors do NOT stop the 
exec() from being executed. (This goes for the "Fatal 
error: Call to undefined function: sqspell_getlang() in 
[xxx]/plugins/squirrelspell/modules/check_me.mod.ph
p on line 59" too.)

Squirrelmail normally is configured to run as 
user "nobody" which is pretty safe but not perfect (so 
I'm told)
On a normal installation, squirrelmail should only 
have write access to /tmp and /[squirrelmail-
installation-path]/data. About read access I'm not 
sure, it probably doesn't have much rights there too.
The installation manual tells user they SHOULD 
make /data inaccessable through you httpd, let's 
hope they did.

I'm not a linux security expert but having access 
as "nobody" to the server doesn't strike me as a BIG 
vulnerability. Having access to the squirrelmail "data" 
directory might be a whole different story.

SkyLined

PS. *.tudelft.nl is mostly unreachable pending a fix in 
the nameserver, any mail replies might thus bounce, 
please try again later.
More (recently updated) info & online exploit can be 
found at http://130.161.89.229/skylined?
squirrelmail.html)

http://spoor12.edup.tudelft.nl/skylined 
(=130.161.89.229 untill the nameserver's fixed)
Previous By Date Next
Previous By Thread Next

Current thread: