In association with heise online

12 July 2007, 16:19

Vulnerabilities in G/PGP plug-in for Squirrelmail

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

In four security advisories, security service provider iDefense describes , vulnerabilities in the encryption plug-in G/PGP for the popular Webmail application Squirrelmail. Via three of the vulnerabilities, an attacker can execute arbitrary commands on the system with web server privileges. For two of them, previous registration on Squirrelmail is required. One vulnerability can be exploited using specially crafted e-mails.

The vulnerabilities which have now been published by iDefense can be found in gpg_recv_key in the file gpg_key_functions.php, gpg_check_sign_pgp_mime in the file gpg_hook_functions.php and deleteKey in the module gpg_keyring.php. All functions activate the function exec() to call external commands, thereby transferring an entirely unfiltered user parameter. For the vulnerability in gpg_check_sign_pgp_mime the attacker is not required to have a Squirrelmail account: it is sufficient that a victim opens a crafted mail. Using cleverly crafted commands, an attacker could even open a network shell. The fourth vulnerability allows inclusion and execution of locally filed PHP scripts. The scripts at fault are gpg_help.php and gpg_help_base.php, which do not filter the parameters transferred by HTTP-GET.

The developers of the plug-in were informed about the vulnerabilities by iDefense on October 27, 2005, but they still haven't responded even after repeated inquiries. Although Version 2.1 of the plug-in was released on July 7, 2007, the vulnerabilities in deleteKey and gpg_recv_key have still not been eliminated. At least the vulnerabilities in gpg_check_sign_pgp_mime and gpg_help.php and gpg_help_base.php have been fixed. Users of Version 2.0 or previous versions should update to the current version and enter the additional lines in the code as a workaround, as recommended by iDefense. Further details pertaining to this can be found in the original security advisory.

According to a posting on Bugtraq, another vulnerability in Squirrelmail G/PGP, currently up for auction on [ticker:uk_92244 WasiSabiLabi], has a similar cause to these, although the flaw up for auction is in the file keyring_main.php.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit