Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 17 Mar 2018 14:53:46 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: Squirrelmail directory traversal vulnerability
 allows exfiltrating files from server

Hi

On Sat, Mar 17, 2018 at 10:03:43AM +0100, Hanno Böck wrote:
> Hi,
> 
> During the Troopers conference this week an unpatched vulnerability in
> squirrelmail was presented by Florian Grunow from ERNW [1].
> 
> The issue is that when uploading a mail attachment a temporary file is
> generated on the server that the client later references when sending
> the mail. The filename is not sanitized in any way, so by passing a
> filename of the form "../../../../some_path/some_filename" one can use
> this to attach arbitrary files from the server that can be accessed by
> the PHP process to a mail. Thus an attacker who has a mail account
> could use this to exfiltrate files and send them as attachments.
> 
> The bug is unfixed. The finders say they tried to reach out to the
> squirrelmail developers, but were unable to contact them.
> 
> Squirrelmail hasn't had a release for many years and the webpage has
> its last news from 2013. But despite that until recently the subversion
> repository and the provided svn snapshots still provided security
> fixes, e.g. a 2017 found injection vuln [2] was fixed.
> Despite its stale state I believe many people still use squirrelmail,
> in my experience it works better than alternatives like roundcube in
> situations where you have very weak internet connections.
> 
> I created a preliminary quick and dirty patch that should close the
> main hole [3]. It guarantees that the filename only contains letters
> and numbers (this should be okay as the filename is created by
> squirrelmail and usually doesn't contain any user-controlled
> characters in normal operation) and otherwise just terminates the
> process. There may be an obscure cornercase where this patch does not
> fully protect: If for some reason a user can guess another users
> temporary filename while writing a mail one may be able to exfiltrate
> that. I find that unlikely enough that I haven't bothered looking more
> into this.
> 
> The researchers found this flaw while investigating a check point
> appliance that bundles squirrelmail for their webmail functionality. As
> squirrelmail is GPL I asked check point to share the patch, which they
> did and I'm providing it here [4]. I haven't reviewed it, but the ERNW
> people told me it may not work with all PHP versions.
> 
> In any case if anyone has contact to the squirrelmail authors it would
> be great if they could incorporate a fix (and maybe even provide a new
> release). Otherwise everyone using squirrelmail should obviously
> patch this manually.

MITRE has assigned 'CVE-2018-8741' for this issue.

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ