Date: Sat, 17 Mar 2018 10:03:43 +0100 From: Hanno Böck <hanno@...eck.de> To: Open Source Security <oss-security@...ts.openwall.com> Subject: Squirrelmail directory traversal vulnerability allows exfiltrating files from server Hi, During the Troopers conference this week an unpatched vulnerability in squirrelmail was presented by Florian Grunow from ERNW . The issue is that when uploading a mail attachment a temporary file is generated on the server that the client later references when sending the mail. The filename is not sanitized in any way, so by passing a filename of the form "../../../../some_path/some_filename" one can use this to attach arbitrary files from the server that can be accessed by the PHP process to a mail. Thus an attacker who has a mail account could use this to exfiltrate files and send them as attachments. The bug is unfixed. The finders say they tried to reach out to the squirrelmail developers, but were unable to contact them. Squirrelmail hasn't had a release for many years and the webpage has its last news from 2013. But despite that until recently the subversion repository and the provided svn snapshots still provided security fixes, e.g. a 2017 found injection vuln  was fixed. Despite its stale state I believe many people still use squirrelmail, in my experience it works better than alternatives like roundcube in situations where you have very weak internet connections. I created a preliminary quick and dirty patch that should close the main hole . It guarantees that the filename only contains letters and numbers (this should be okay as the filename is created by squirrelmail and usually doesn't contain any user-controlled characters in normal operation) and otherwise just terminates the process. There may be an obscure cornercase where this patch does not fully protect: If for some reason a user can guess another users temporary filename while writing a mail one may be able to exfiltrate that. I find that unlikely enough that I haven't bothered looking more into this. The researchers found this flaw while investigating a check point appliance that bundles squirrelmail for their webmail functionality. As squirrelmail is GPL I asked check point to share the patch, which they did and I'm providing it here . I haven't reviewed it, but the ERNW people told me it may not work with all PHP versions. In any case if anyone has contact to the squirrelmail authors it would be great if they could incorporate a fix (and maybe even provide a new release). Otherwise everyone using squirrelmail should obviously patch this manually.  https://insinuator.net/2018/03/squirrelmail-full-disclosure-troopers18/  https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html  https://gist.github.com/hannob/3c4f86863c418930ad08853c1109364e  https://paste.pound-python.org/show/OjSLiFTxiBrTk63jqEUu/ -- Hanno Böck https://hboeck.de/ mail/jabber: hanno@...eck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.