Date: Fri, 21 May 2010 00:14:14 -0500 From: "Marcus I. Ryan" <marcus@...de.org> To: Max Olsterd <max.olsterd@...il.com> Cc: oss-security@...ts.openwall.com, security-2010@...irrelmail.org, security@...de.org Subject: Re: [core] CVE Request for Horde and Squirrelmail I'm inactive on the project, so hopefully I'm not speaking out of turn (I'm assuming another horde member will give a more official response and/or provide corrections as necessary), but I don't recall a CVE being issued. We were only notified just before the presentation which I have to say didn't impress me personally, as it violates fairly well established best-practices for reporting security issues. That said, we don't really consider it a bug. If the administrator reads and follows that documentation, their systems are not exposed. Part of the problem on our end is that the tool being abused needs to be turned on by default to help configure new sites, but many administrators also want to leave these tools enabled after the site is running and simply lock them down through other means (web server configs, application-level firewalls, etc.). However, most of those means are beyond the ability of Horde to detect, so we can't distinguish between admins who don't read the documentation and admins that choose other ways of protecting themselves. We're considering possible features we might add in future versions that would help make sure things are as secure as possible without reducing the flexibility we strive for. As with any software that exposes your system(s) to the public, the best protection is to read, understand, and follow the documentation (docs/INSTALL and docs/SECURITY to be specific here). As Norm Abram says, "Be sure to read, follow, and understand all of the safety rules that come with your power tools. Knowing how to use your tools safely greatly reduces the risk of personal injury." Good advice for woodworkers and IT administrators. If you have any more concerns, please let us know. -- Marcus I. Ryan, marcus@...de.org Quoting Max Olsterd <max.olsterd@...il.com>: > Hi, > > Is there a CVE number available for the two 0-days exposed during Hack In > The Box Dubai 2010 ? > > Though the exploits were not given during HITB (?), some friends have > recently shown me that they found how both products (Squirrelmail and Horde) > might be abused to be transformed, so that they become some kind of nmap > scanner (banner grab, port scan, etc). It helps at discovering a remote DMZ, > internal LAN, etc, by using those webmails as evil internal nmap proxies. > > More info available on the slides of the corporate hackers who found the > 0-days : > http://conference.hitb.org/hitbsecconf2010dxb/materials/D1%20-%20Laurent%20Oudot%20-%20Improving%20the%20Stealthiness%20of%20Web%20Hacking.pdf > -> Squirrelmail: page 69 (post auth vuln) > -> Horde: page 74 (pre auth vuln) > > Regards, > > M@X > > NB: Useful links : > > SquirrelMail: http://www.squirrelmail.org (one of the most excellent Webmail > / Opensource) > Horde: http://www.horde.org (one of the most excellent Webmail Opensource) > TEHTRI-Security: http://www.tehtri-security.com (seems to be some kind of > corporate hackers group / company ? who found some 0-days recently) > HITB: http://conference.hitb.org/ (HITB Security Conferences) > >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ