lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <475BEFFF.6090605@users.sourceforge.net>
Date: Sun, 09 Dec 2007 15:39:11 +0200
From: Tomas Kuliavas <tokul@...rs.sourceforge.net>
To: bugtraq@...urityfocus.com
Subject: Two vulnerabilities in SquirrelMail GPG plugin

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Site address: http://www.braverock.com/gpg
SquirrelMail plugin page: http://www.squirrelmail.org/plugin_view.php?id=153

1 issue - Deletion of files writable by web server user

SquirrelMail GPG plugin allows end users to delete or overwrite files
writable by web server user. In default SquirrelMail 1.4.3-1.4.8 setups
end users can delete stored user preferences and address books without
any complex hacks. Default SquirrelMail 1.4.9+ setups and custom rpm or
deb packages are still vulnerable to relative path attacks, because
location of attachment and data directories is known to attacker.

Upstream was notified about vulnerability on 2007-09-24. Patch was
provided on 2007-10-01. I haven't received any response and don't see
fixes in current (2007-12-09) gpg plugin snapshots.

Affected versions: 2.0, 2.0.1 and 2.1
Fix: http://www.topolis.lt/bugtraq/gpg_encrypt.php.diff.gz

2 issue - Unsanitized display of public keys

SquirrelMail GPG plugin does not sanitize imported public key
information. It allows attacker to inject custom html tags in
SquirrelMail message display.

Upstream was notified about vulnerability (with fix) on 2007-10-15. I
haven't received any response and don't see fixes in current
(2007-12-09) gpg plugin snapshots.

Affected versions: 2.0, 2.0.1 and 2.1
Fix: http://www.topolis.lt/bugtraq/gpg_hook_functions.php.diff.gz
POC exploit: http://www.topolis.lt/bugtraq/gpg-unsanitized-js-poc.eml.gz

- --
Tomas Kuliavas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHW+//aYoxl8XwnvYRAjmwAJ0SH7OBb6VRrpmwwY3JY9bmMWN95ACgun5W
JV6Gdv4JD3ngLSXfLYw3poc=
=ajUp
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ