Tomas Kuliavas wrote:
CentOS 4.5 w/ squirrelmail-1.4.8-4.0.1.el4.centos. Plugins are:
CVE-2006-6142, CVE-2007-1262, CVE-2007-2589. Please note that html
filtering functions must be patched to 1.4.10+ level. Having only 1.4.9a
patches is not enough. If changelog says that CVE-2006-6142 is fixed,
check functions/mime.php and make sure that it is similar to 1.4.10a file
and not to 1.4.9a file.
Doesn't seem like it's a security vulnerability in squirrelmail causing
this, though your point is valid with regard to the CVE's.
Installed Plugins
1. delete_move_next
2. squirrelspell
3. newmail
4. mpppolicygroup
5. quota_usage
Available Plugins:
6. translate
7. compatibility
8. spamcop
9. sent_subfolders
10. check_quota
Version of check_quota plugin? PHP register_globals setting?
check_quota version 1.4
register_globals = off
Per some suggetions in the thread I was able to determine that they are
not using "mailto.php", but rather compose.php:
/var/log/httpd/access_log:196.1.179.183 - - [07/Oct/2007:21:54:10 -0500]
"GET /webmail/src/compose.php?mail_sent=yes HTTP/1.1" 200 37102
"http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0";
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
Wrong log entry. What you have in logs before this redirection is made in
SquirrelMail. This page only displays notice that message is send.
In another post, I attached the results of a grep for a specific IP.
If you know ip of spammer, check all log entries from that ip address. You
must trace whole path. How do they log in? Is there a legit login for same
account at that time? Which pages are opened?
They appear to emulate a browser, from what I can tell. They are using a
valid username and password apparently culled from an infected PC somewhere.
Have you tried to protect your webmail traffic? Signed SSL certificate
costs less than 20 USD.
I'd expect they support SSL on their end, this probably wouldn't make
any difference.
- Nick Bright
begin:vcard
fn:Nick Bright
n:Bright;Nick
org:Terra World Communications, LLC
adr:Suite #11;;200 ARCO Place;Independence;KS;67301;USA
email;internet:nick.bright@xxxxxxxxxxxxxx
title:Network Administrator
tel;work:888-332-1616
tel;fax:620-332-1201
x-mozilla-html:FALSE
url:http://home.terraworld.net
version:2.1
end:vcard
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
--
squirrelmail-users mailing list
Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines
List Address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user
List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
