squirrelmail redirect.php local file include vulnerability

Debian Bug report logs - #373731
squirrelmail redirect.php local file include vulnerability

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Oliver Paulus <oliver@code-project.org>

To: "submit@bugs.debian.org" <submit@bugs.debian.org>

Subject: squirrelmail redirect.php local file include vulnerability

Date: Thu, 15 Jun 2006 14:42:01 +0200

[Message part 1 (text/plain, inline)]

Package: squirrelmail
Version: 2:1.4.4-8

There is a local file include vulnerability in redirect.php (information
disclosure).

For more information see: http://www.securityfocus.com/bid/18231

Example URI: http://www.example.com/[squirrelmail
dir]/src/redirect.php?plugins[]=../../../../etc/passwd%00

-- 
Oliver Paulus

OpenPGP
Key id: 28D9C44F
Fingerprint: EADA 62FC 07DC 3361 A3D6  4174 2DE3 C027 28D9 C44F
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x28D9C44F

[Message part 2 (application/pgp-signature, inline)]

Message #10 received at 373731@bugs.debian.org (full text, mbox, reply):

From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>

To: Oliver Paulus <oliver@code-project.org>, 373731@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: Bug#373731: squirrelmail redirect.php local file include vulnerability

Date: Thu, 15 Jun 2006 13:54:33 +0200

severity 373731 serious
tags 373731 security confirmed upstream
thanks

On Thu, Jun 15, 2006 at 02:42:01PM +0200, Oliver Paulus wrote:
> There is a local file include vulnerability in redirect.php (information
> disclosure).
> 
> For more information see: http://www.securityfocus.com/bid/18231
> 
> Example URI: http://www.example.com/[squirrelmail
> dir]/src/redirect.php?plugins[]=../../../../etc/passwd%00

Ugh, both file_exists and include_once (!) simply work on the filename
up until the first nul byte. I see that the plugins[] array is actually
never reset in the squirrelmail source or configuration, allowing for
this kind of things.

Since this allows to include (and execute) arbitrary local files,
including ones in /tmp, this seems like to be at least a local arbitrary
code execution vulnerability. It's not even required to be logged in, of
course, to plant an attacking php script in /tmp or so requires a local
account, or alternatively, some other vulnerability.

Thanks for reporting,
--Jeroen

-- 
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl

Message #19 received at 373731@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <kink@squirrelmail.org>

To: 373731@bugs.debian.org

Cc: team@security.debian.org, Oliver Paulus <oliver@code-project.org>

Subject: Re: Bug#373731: squirrelmail redirect.php local file include vulnerability

Date: Thu, 15 Jun 2006 14:42:15 +0200

[Message part 1 (text/plain, inline)]

Hello all,

> up until the first nul byte. I see that the plugins[] array is actually
> never reset in the squirrelmail source or configuration, allowing for
> this kind of things.

Right, I agree that the bug exists; it has been discussed on the
upstream security@squirrelmail list but I appearently missed out to
follow up to Debian.

However, I doubt the criticality of the issue. It is only exploitable
with register_globals (rg) set to On.

As you might know:
- the Debian 'squirrelmail' Apache configuration ships with rg disabled;
- the Debian 'php4' configuration ships with rg disabled;
- it is well known and well documented that enabling register_globals is
  a security risk.

Therefore, someone who overrides both the PHP and SquirrelMail default
configuration for this setting, while there is no need at all to do so,
is willingly opening up security risks.

Running with register_globals on not supported with upstream
SquirrelMail and heavily discouraged (?) with PHP.

Of course the bug will be fixed, but for this reason I don't think we
should rush out an advisory or leave this bug to be of serious severity.


I value input on this matter from the security team.


regards,
Thijs

[signature.asc (application/pgp-signature, inline)]

Message #24 received at 373731@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Thijs Kinkhorst <kink@squirrelmail.org>

Cc: 373731@bugs.debian.org, team@security.debian.org, Oliver Paulus <oliver@code-project.org>

Subject: Re: Bug#373731: squirrelmail redirect.php local file include vulnerability

Date: Thu, 15 Jun 2006 14:49:09 +0200

Thijs Kinkhorst wrote:
> As you might know:
> - the Debian 'squirrelmail' Apache configuration ships with rg disabled;
> - the Debian 'php4' configuration ships with rg disabled;
> - it is well known and well documented that enabling register_globals is
>   a security risk.
> 
> Therefore, someone who overrides both the PHP and SquirrelMail default
> configuration for this setting, while there is no need at all to do so,
> is willingly opening up security risks.
> 
> Running with register_globals on not supported with upstream
> SquirrelMail and heavily discouraged (?) with PHP.
> 
> Of course the bug will be fixed, but for this reason I don't think we
> should rush out an advisory or leave this bug to be of serious severity.
> 
> 
> I value input on this matter from the security team.

I don't think this warrants a security update for stable.

Cheers,
        Moritz

Message #29 received at 373731@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <kink@squirrelmail.org>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: 373731@bugs.debian.org, Oliver Paulus <oliver@code-project.org>, control@bugs.debian.org

Subject: Re: Bug#373731: squirrelmail redirect.php local file include vulnerability

Date: Thu, 15 Jun 2006 16:12:46 +0200

[Message part 1 (text/plain, inline)]

severity 373731 important
thanks

On Thu, 2006-06-15 at 14:49 +0200, Moritz Muehlenhoff wrote:
> I don't think this warrants a security update for stable.

Thanks. I'm downgrading it to important - I expect a new upstream at the
end of this month that will resolve the bug. I'll check whether or not
to make an upload to Debian for the time inbetween.


Thijs

[signature.asc (application/pgp-signature, inline)]

Message #36 received at 373731@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <kink@squirrelmail.org>

To: 373731@bugs.debian.org

Subject: Re: Bug#373731: squirrelmail redirect.php local file include vulnerability

Date: Tue, 27 Jun 2006 16:05:10 +0200

[Message part 1 (text/plain, inline)]

On Thu, 2006-06-15 at 16:12 +0200, Thijs Kinkhorst wrote:
> Thanks. I'm downgrading it to important - I expect a new upstream at
> the end of this month that will resolve the bug. I'll check whether or
> not to make an upload to Debian for the time inbetween. 

I expect a new upstream version within a week, so I'm waiting for that.


Thijs

[signature.asc (application/pgp-signature, inline)]

Message #41 received at 373731-submitter@bugs.debian.org (full text, mbox, reply):

From: www-data <www-data@wolffelaar.nl>

To: control@bugs.debian.org, 373731-submitter@bugs.debian.org, 375782-submitter@bugs.debian.org, 376605-submitter@bugs.debian.org

Subject: Squirrelmail bugs fixed in revision r250

Date: Wed, 05 Jul 2006 00:19:21 +0200

# Fixed in r250 by kink
tag 373731 + pending
tag 375782 + pending
tag 376605 + pending
thanks

These bugs are fixed in revision 250 by kink
and will likely get fixed in the next upload.
Log message:
* New upstream bugfix release.
  + Addresses some low-impact, theoretical or disputed security bugs,
    for which the code is tightened just-in-case:
    - Possible local file inclusion (Closes: #373731, CVE-2006-2842)
    - XSS in search.php (Closes: #375782, CVE-2006-3174)
  + Adds note to db-backend.txt about postgreSQL (Closes: #376605).
* Update maintainer address.

Message #46 received at 373731-close@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: 373731-close@bugs.debian.org

Subject: Bug#373731: fixed in squirrelmail 2:1.4.7-1

Date: Wed, 05 Jul 2006 07:47:10 -0700

Source: squirrelmail
Source-Version: 2:1.4.7-1

We believe that the bug you reported is fixed in the latest version of
squirrelmail, which is due to be installed in the Debian FTP archive:

squirrelmail_1.4.7-1.diff.gz
  to pool/main/s/squirrelmail/squirrelmail_1.4.7-1.diff.gz
squirrelmail_1.4.7-1.dsc
  to pool/main/s/squirrelmail/squirrelmail_1.4.7-1.dsc
squirrelmail_1.4.7-1_all.deb
  to pool/main/s/squirrelmail/squirrelmail_1.4.7-1_all.deb
squirrelmail_1.4.7.orig.tar.gz
  to pool/main/s/squirrelmail/squirrelmail_1.4.7.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 373731@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated squirrelmail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue,  4 Jul 2006 14:49:23 +0200
Source: squirrelmail
Binary: squirrelmail
Architecture: source all
Version: 2:1.4.7-1
Distribution: unstable
Urgency: low
Maintainer: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 squirrelmail - Webmail for nuts
Closes: 373731 375782 376605
Changes: 
 squirrelmail (2:1.4.7-1) unstable; urgency=low
 .
   * New upstream bugfix release.
     + Addresses some low-impact, theoretical or disputed security bugs,
       for which the code is tightened just-in-case:
       - Possible local file inclusion (Closes: #373731, CVE-2006-2842)
       - XSS in search.php (Closes: #375782, CVE-2006-3174)
     + Adds note to db-backend.txt about postgreSQL (Closes: #376605).
 .
   * Checked for standards version to 3.7.2, no changes necessary.
   * Update maintainer address.
Files: 
 9327e164914f423de04e95a14b6980f7 669 web optional squirrelmail_1.4.7-1.dsc
 f53c91d7799cd8fd9d0550f2cc7a8815 612756 web optional squirrelmail_1.4.7.orig.tar.gz
 b93c6d5e765e18df230d220bc3e4ebc0 18213 web optional squirrelmail_1.4.7-1.diff.gz
 be828f0b1f980489834606c7c4bab164 609220 web optional squirrelmail_1.4.7-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEq8s9JdKMxZV9WM8RAh8JAKDNSA8+MvS8JsekBxT1by0L7z2RkwCgoxX6
9D+A8pczhxgx6BGqcvm3uyY=
=XIUu
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.