My Bugtraq reports

This page lists information about vulnerabilities reported by me on Bugtraq.

SquirrelMail GPG plugin

Site address: http://www.braverock.com/gpg
SquirrelMail plugin page: http://www.squirrelmail.org/plugin_view.php?id=153

I have reviewed SquirrelMail GPG plugin when I had to port it to my webmail interface. Plugin is full of outdated code and complex hacks. I have tried to report those issues to plugin developer, but developer decided to ignore my emails even when I warned him on IRC that I don't like one way communications. I don't see any progress in plugin snapshots even when fixes are trivial and current code produces fatal errors in PHP5 for more than two years. That's why I have decided to disclose plugin vulnerabilities on Bugtraq.

Deletion of files writable by web server user

SquirrelMail GPG plugin allows end users to delete or overwrite files writable by web server user. In default SquirrelMail 1.4.3-1.4.8 setups end users can delete stored user preferences and address books without any complex hacks. Default SquirrelMail 1.4.9+ setups and custom rpm or deb packages are still vulnerable to relative path attacks, because location of attachment and data directories is known to attacker.

Upstream was notified about vulnerability on 2007-09-24. Patch was provided on 2007-10-01. I haven't received any response and don't see fixes in current (2007-12-09) gpg plugin snapshots.

Affected versions: 2.0, 2.0.1 and 2.1

Fix: gpg_encrypt.php.diff.gz

Public disclosure: 2007-12-09

Bugtraq ID: 26788

Unsanitized display of public keys

SquirrelMail GPG plugin does not sanitize imported public key information. It allows attacker to inject custom html tags in SquirrelMail message display.

Upstream was notified about vulnerability (with fix) on 2007-10-15. I haven't received any response and don't see fixes in current (2007-12-09) gpg plugin snapshots.

Affected versions: 2.0, 2.0.1 and 2.1

Fix: gpg_hook_functions.php.diff.gz

POC exploit: gpg-unsanitized-js-poc.eml.gz

Public disclosure: 2007-12-09

Bugtraq ID: 26788

Roundcube

Site address: http://roundcube.net/

Unsanitized scripting in HTML emails

Roundcube webmail does not sanitize Microsoft Internet Explorer scripting issues reported by Yosuke Hasegawa. Author was contacted on 2007-05-11. I haven't received any response and current (2007-12-09) code is still vulnerable.

Report about IE issues: in Japanese and in English

Please note that Hasegawa's report does not include additional attack vectors available in Wine based IE setups.

Affected versions: checked 0.1rc2 and 2007-12-09 svn trunk.

POC exploit: expression.eml.gz

Public disclosure: 2007-12-09

Bugtraq ID: 26800

 

Tomas Kuliavas

Last modified: Fri Dec 21 12:57:51 EET 2007