mailing list archives
squirrelmail: squirrelspell plugin check_me.mod.php bug
From: <skylined () edup tudelft nl>
Date: 4 Feb 2002 15:02:02 -0000
In-Reply-To: <1184.108.40.206.130.1011887757.squirrel () mail bsquad sm pl>
Squirrelspell v0.3.1 is know to be affected,
vulnerability of other versions is unknown.
The buggy code (extraction):
// Define the command used to spellcheck the
// For the simplicity's sake we'll put all text into a file
// in attachment_dir directory, then cat it and pipe it to
// There are other ways to do it, including popen(), but
// and no fun at all.
// NOTE: This will probably change in future releases
// for privacy reasons.
$floc = "$attachment_dir/
$username" . "_sqspell_data.txt";
exec("cat $floc | $sqspell_command",
Seems to me one could insert commands in
$attachment_dir, $username_sqspell_data and
$SQSPELL_APP[$sqspell_use_app]. Nevermind the
other variables; any file I/O errors do NOT stop the
exec() from being executed. (This goes for the "Fatal
error: Call to undefined function: sqspell_getlang() in
p on line 59" too.)
Squirrelmail normally is configured to run as
user "nobody" which is pretty safe but not perfect (so
On a normal installation, squirrelmail should only
have write access to /tmp and /[squirrelmail-
installation-path]/data. About read access I'm not
sure, it probably doesn't have much rights there too.
The installation manual tells user they SHOULD
make /data inaccessable through you httpd, let's
hope they did.
I'm not a linux security expert but having access
as "nobody" to the server doesn't strike me as a BIG
vulnerability. Having access to the squirrelmail "data"
directory might be a whole different story.
PS. *.tudelft.nl is mostly unreachable pending a fix in
the nameserver, any mail replies might thus bounce,
please try again later.
More (recently updated) info & online exploit can be
found at http://220.127.116.11/skylined?
(=18.104.22.168 untill the nameserver's fixed)
- squirrelmail: squirrelspell plugin check_me.mod.php bug skylined (Feb 05)