Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20180317135346.GA8389@eldamar.local>
Date: Sat, 17 Mar 2018 14:53:46 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: Squirrelmail directory traversal vulnerability
 allows exfiltrating files from server

Hi

On Sat, Mar 17, 2018 at 10:03:43AM +0100, Hanno Böck wrote:
> Hi,
> 
> During the Troopers conference this week an unpatched vulnerability in
> squirrelmail was presented by Florian Grunow from ERNW [1].
> 
> The issue is that when uploading a mail attachment a temporary file is
> generated on the server that the client later references when sending
> the mail. The filename is not sanitized in any way, so by passing a
> filename of the form "../../../../some_path/some_filename" one can use
> this to attach arbitrary files from the server that can be accessed by
> the PHP process to a mail. Thus an attacker who has a mail account
> could use this to exfiltrate files and send them as attachments.
> 
> The bug is unfixed. The finders say they tried to reach out to the
> squirrelmail developers, but were unable to contact them.
> 
> Squirrelmail hasn't had a release for many years and the webpage has
> its last news from 2013. But despite that until recently the subversion
> repository and the provided svn snapshots still provided security
> fixes, e.g. a 2017 found injection vuln [2] was fixed.
> Despite its stale state I believe many people still use squirrelmail,
> in my experience it works better than alternatives like roundcube in
> situations where you have very weak internet connections.
> 
> I created a preliminary quick and dirty patch that should close the
> main hole [3]. It guarantees that the filename only contains letters
> and numbers (this should be okay as the filename is created by
> squirrelmail and usually doesn't contain any user-controlled
> characters in normal operation) and otherwise just terminates the
> process. There may be an obscure cornercase where this patch does not
> fully protect: If for some reason a user can guess another users
> temporary filename while writing a mail one may be able to exfiltrate
> that. I find that unlikely enough that I haven't bothered looking more
> into this.
> 
> The researchers found this flaw while investigating a check point
> appliance that bundles squirrelmail for their webmail functionality. As
> squirrelmail is GPL I asked check point to share the patch, which they
> did and I'm providing it here [4]. I haven't reviewed it, but the ERNW
> people told me it may not work with all PHP versions.
> 
> In any case if anyone has contact to the squirrelmail authors it would
> be great if they could incorporate a fix (and maybe even provide a new
> release). Otherwise everyone using squirrelmail should obviously
> patch this manually.

MITRE has assigned 'CVE-2018-8741' for this issue.

Regards,
Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.