SquirrelMail Web-based Mail Server Lets Remote Users Execute Arbitrary Code on the Server Date: Jan 25 2002 Impact: Execution of arbitrary code via network, User access via network Fix Available: Yes Exploit Included: Yes Vendor Confirmed: Yes Version(s): 1.2.2 Description: A vulnerability was reported in SquirrelMail webmail server. A remote user can execute arbitrary commands on the server. It is reported that the spell checker plugin (check_me.mod.php) allows a remote user to specify commands to be executed on the server. The following type of URL will reportedly trigger the vulnerability: host/plugins/squirrelspell/modules/check_me.mod.php?SQSPELL_APP[blah]=wall% 20hello&sqspell_use_ app=blah&attachment_dir=/tmp&username_sqspell_data=plik Impact: A remote user can execute commands on the server with the privileges of the web server. Solution: The vendor has released a fixed version (1.2.4), available at: http://www.squirrelmail.org/download.php ebuild doesnt need to be changed much. SOrry have to get too work now so i cant make a fixed ebuild. BUt if the bug isnt solved yet when i come back i make one. Ferry Meyndert <m0rpheus@poseidon.mine.nu>
*** Bug 355 has been marked as a duplicate of this bug. ***
1.2.4 # Copyright 1999-2001 Gentoo Technologies, Inc. # Distributed under the terms of the GNU General Public License, v2 or later # Author Grant Goodyear <g2boojum@gentoo.org> PLUGINS=${PN}_plugins-20010604 S=${WORKDIR}/${P} HTTPD_ROOT="/usr/local/httpd/htdocs" DESCRIPTION="Webmail for nuts!" SRC_URI="http://prdownloads.sf.net/${PN}/${P}.tar.bz2 http://www.squirrelmail.org/countdl.php?fileurl=/archives/cvsroot/${PLUGINS}.tar.gz" HOMEPAGE="http://www.squirrelmail.org" DEPEND="dev-lang/php net-www/apache" RDEPEND="virtual/imap" src_compile() { #nothing to compile echo "Nothing to compile" } src_install () { dodir ${HTTPD_ROOT}/${P} dosym ${HTTPD_ROOT}/${P} ${HTTPD_ROOT}/${PN} cp -r . ${D}/${HTTPD_ROOT}/${P} cd ${D}/${HTTPD_ROOT}/${P}/plugins tar xvzf ${DISTDIR}/${PLUGINS}.tar for name in `ls *.tar.gz` do tar xvzf ${name} done cd ${D}/${HTTPD_ROOT} chown -R nobody.nobody ${P} }
bah thats the old one got something mixed up with saving. SO i will post the new one soon. Argggh
# Copyright 1999-2001 Gentoo Technologies, Inc. # Distributed under the terms of the GNU General Public License, v2 or later # Author Grant Goodyear <g2boojum@gentoo.org> PLUGINS=${PN}-20020127_1200-CVS S=${WORKDIR}/${P} HTTPD_ROOT="/usr/local/httpd/htdocs" DESCRIPTION="Webmail for nuts!" SRC_URI="http://prdownloads.sf.net/${PN}/${P}.tar.bz2 http://www.squirrelmail.org/countdl.php?fileurl=/archives/cvsroot/${PLUGINS}.tar.gz" HOMEPAGE="http://www.squirrelmail.org" DEPEND="dev-lang/php net-www/apache" RDEPEND="virtual/imap" src_compile() { #nothing to compile echo "Nothing to compile" } src_install () { dodir ${HTTPD_ROOT}/${P} dosym ${HTTPD_ROOT}/${P} ${HTTPD_ROOT}/${PN} cp -r . ${D}/${HTTPD_ROOT}/${P} cd ${D}/${HTTPD_ROOT}/${P}/plugins tar xvzf ${DISTDIR}/${PLUGINS}.tar for name in `ls *.tar.gz` do tar xvzf ${name} done cd ${D}/${HTTPD_ROOT} chown -R nobody.nobody ${P}
Added to portage; older versions removed.
I yanked the plugins because the current plugins come from a CVS snapshot. I don't know how long they keep them available, so I decided not to mess with them.