[Dailydave] SquirrelMail GPG Plugin vuln
Stefan Esser
stefan.esser at sektioneins.de
Mon Jul 9 03:26:56 EDT 2007
> Version 2.1 of the SquirrelMail GPG Plugin was published yesterday. It
> blocks an attack vector I found after your mail while quickly grep'ing
> for dangerous PHP calls.
Version 2.1 of the plugin contains several more shell command execution
vulnerabilities and the vendor is aware of this.
And yes grepping for a few dangerous PHP calls is not that hard and you
will sooner or later find these bugs. However to quote Halvar:
"Auditing is not supergrep. "
The real challenge with the SquirrelMail GPG Plugin vulnerabilties is not
to find them after you got a hint that they exist. The challenge is to find
out that (and how) you can launch them (at least some of them) PRE-AUTH.
I really wonder if the auctionned bug is pre-auth or post-auth. I guess the
later because otherwise they would have mentioned it.
> Giving out some much information was really stupid ...
Isn't that always the point when you sell a vulnerability in an open source
software? If I want to sell you a lighttpd remote exploit and you trust me
than you know that such a thing exists and you will most probably invest
more time in finding it yourself. The knowledge that something exploitable
really exists is a good motivation to find it.
Stefan
More information about the Dailydave
mailing list