Date: Mon, 21 Jun 2010 00:25:30 -0700 From: Paul Lesniewski <paul@...irrelmail.org> To: Josh Bressers <bressers@...hat.com> Cc: oss-security@...ts.openwall.com, security-2010@...irrelmail.org, security@...de.org, coley@...re.org Subject: Re: [SquirrelMail-Security] CVE Request for Horde and Squirrelmail Hello all, >> Is there a CVE number available for the two 0-days exposed during Hack In >> The Box Dubai 2010 ? >> >> Though the exploits were not given during HITB (?), some friends have >> recently shown me that they found how both products (Squirrelmail and >> Horde) might be abused to be transformed, so that they become some kind >> of nmap scanner (banner grab, port scan, etc). It helps at discovering a >> remote DMZ, internal LAN, etc, by using those webmails as evil internal >> nmap proxies. >> >> More info available on the slides of the corporate hackers who found the >> 0-days : >> http://conference.hitb.org/hitbsecconf2010dxb/materials/D1%20-%20Laurent%20Oudot%20-%20Improving%20the%20Stealthiness%20of%20Web%20Hacking.pdf >> -> Squirrelmail: page 69 (post auth vuln) >> -> Horde: page 74 (pre auth vuln) >> > > Here goes, there isn't a lot of data on these. > > For Squirrelmail: > > Here are some important notes from the slide: > * Default plugin <mail_fetch>, emulates POP3 fetcher with fsockopen() > PHP functions, Post Authentication only > - No verification on IP / PORTS > * You can transform SquirrelMail as a kind of Nmap scanner > > This has been assigned TEHTRI-SA-2010-009 by the discoverer. > > The danger is that this attack could be used to bypass a firewall. > > Let's use CVE-2010-1637 for Squirrelmail. Sorry for the delay. A fix for this issue is now available in the SquirrelMail source repository. A new stable version (1.4.21) with this fix will be released in the next week or two. Links to the patches if you need them now are: Development version (1.5.2): http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13950&view=rev Stable version (1.4.21): http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13951&view=rev -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ