[Dailydave] SquirrelMail GPG Plugin vuln
James Matthews
nytrokiss at gmail.com
Mon Jul 9 18:41:02 EDT 2007
And now the person that wanted to make money is losing it because of you
people being so nosy! Sniff Sniff =)
On 7/9/07, Nicob <nicob at nicob.net> wrote:
>
> Le lundi 09 juillet 2007 à 08:46 -0500, Charles Miller a écrit :
> > Also, the vulnerability Nicob pointed out was pre-auth (mine was post-
> > auth).
>
> Simply sending an email to an user using the PGP plugin was enough to
> compromise the server hosting SquirrelMail. That's nice, as the webmail
> URL doesn't have to be known. The server can even be unreachable from
> the Internet.
>
> That's imho more than pre-auth, as you can blindly send tons of mails to
> random addresses and compromise some servers.
>
> 592 function gpg_check_sign_pgp_mime($message,$fullbodytext) {
> [...]
> 639 //$messageSignedText = escapeshellarg($messageSignedText);
> 640 $messageSignedText = ereg_replace("\"", "\\\"",$messageSignedText );
> [...]
> 661 $command = "echo -n \"$messageSignedText\" | [blablabla]
>
> Nicob
>
>
>
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
--
http://www.goldwatches.com/watches.asp?Brand=14
http://www.jewelerslounge.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070709/b4f2bdb0/attachment.htm
More information about the Dailydave
mailing list