-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Site address: http://www.braverock.com/gpg SquirrelMail plugin page: http://www.squirrelmail.org/plugin_view.php?id=153 1 issue - Deletion of files writable by web server user SquirrelMail GPG plugin allows end users to delete or overwrite files writable by web server user. In default SquirrelMail 1.4.3-1.4.8 setups end users can delete stored user preferences and address books without any complex hacks. Default SquirrelMail 1.4.9+ setups and custom rpm or deb packages are still vulnerable to relative path attacks, because location of attachment and data directories is known to attacker. Upstream was notified about vulnerability on 2007-09-24. Patch was provided on 2007-10-01. I haven't received any response and don't see fixes in current (2007-12-09) gpg plugin snapshots. Affected versions: 2.0, 2.0.1 and 2.1 Fix: http://www.topolis.lt/bugtraq/gpg_encrypt.php.diff.gz 2 issue - Unsanitized display of public keys SquirrelMail GPG plugin does not sanitize imported public key information. It allows attacker to inject custom html tags in SquirrelMail message display. Upstream was notified about vulnerability (with fix) on 2007-10-15. I haven't received any response and don't see fixes in current (2007-12-09) gpg plugin snapshots. Affected versions: 2.0, 2.0.1 and 2.1 Fix: http://www.topolis.lt/bugtraq/gpg_hook_functions.php.diff.gz POC exploit: http://www.topolis.lt/bugtraq/gpg-unsanitized-js-poc.eml.gz - -- Tomas Kuliavas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHW+//aYoxl8XwnvYRAjmwAJ0SH7OBb6VRrpmwwY3JY9bmMWN95ACgun5W JV6Gdv4JD3ngLSXfLYw3poc= =ajUp -----END PGP SIGNATURE-----
