Re: CVE Request for Horde and Squirrelmail

["Thijs Kinkhorst" <thijs () debian org>]

Hi Max,

On Thu, May 20, 2010 15:04, Max Olsterd wrote:
> Hi,
>
> Is there a CVE number available for the two 0-days exposed during Hack In
> The Box Dubai 2010 ?

> More info available on the slides of the corporate hackers who found the
> 0-days :
> http://conference.hitb.org/hitbsecconf2010dxb/materials/D1%20-%20Laurent%20Oudot%20-%20Improving%20the%20Stealthiness%20of%20Web%20Hacking.pdf
> -> Squirrelmail: page 69 (post auth vuln)

I don't think there's a CVE number available for the SquirrelMail "issue",
but I also highly doubt that it's actually a vulnerability.

What they basically assert is, that as an authenticated user using the
POP3 fetch mail plugin, you could repeatedly change the POP3 server
settings and as such could 'portscan' a remote target.

This seems just as much a vulnerability as that you could use telnet, or
fetchmail, or Thunderbird, to be a 'portscanner', as these all have the
option to change a remote server address at will. Or that having a shell
account at a system is a security vulnerability as you would be able to
write a bash script to repeatedly netcat to remote hosts. I don't buy
this.

Note that you need to be an authenticated user to do this.


Cheers,

Thijs