David Rees zei: > Marc Groot Koerkamp said: > >>> http://www.securityfocus.com/bid/7952 >> >> Ok I inpected the exploit and in SM 1.4 the exploit isn't there. I don't >> have SM 1.2.x anymore so i didn't check the older versions. >> >> The exploit had to do with setting move_messages GET vars. Current >> Squirrelmail versions retrieve those vars through POST so the >> vulnarability dissapeared. > > Hi Marc, > > I just tested the following on a 1.4.0 setup here: > > http://www.example.com/src/read_body.php?mailbox=/etc/passwd&passed_id=1&; > > It spit out the /etc/passwd file just fine. You do have to be logged in, > though. >
OK, my mistake, I thought it had to do with deleting mailboxes. I couldn'r reproduce it on Cyrus. Probably it has to do with the fact that the imap server returns the content of the non valid mailbox when it tries to select the mailbox. This seems like an imap-server vulnarability and I guess it's UW. This means that when I do a telnet session to the imap server I can achieve the same. I'm not sure it's up to SM to fix this because if we fix it ( == not returning imap server messages in case of NO responses ) users can still access /etc/passwd by a simple telnet session. But please give more information about the form of the returned /etc/passwd file. In other words, is it the imap-server message in case of a NO response. Regards, Marc Groot Koerkamp. ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php -- squirrelmail-users mailing list List Address: [EMAIL PROTECTED] List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id)95 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
