|
SquirrelMail IMAP/SMTP Injection
Published 20:05:53 08.03.2006
Citat:SquirrelMail is "a standards-based webmail package written in PHP4. It includes built-in pure PHP support for the IMAP and SMTP protocols, and all pages render in pure HTML 4.0 (with no JavaScript required) for maximum compatibility across browsers. It has very few requirements and is very easy to configure and install. SquirrelMail has all the functionality you would want from an email client, including strong MIME support, address books, and folder manipulation". A vulnerability within SquirrelMail allows authenticated remote attackers to inject arbitrary IMAP/SMTP commands into the SquirrelMail's mail server's connection stream.
Credit:
The information has been provided by Vicente Aguilera Diaz.
Vulnerable Systems:
* IMAP Injection: All versions prior to 1.4.6
* SMTP Injection: SquirrelMail version 1.2.7
Improper command and information validation transmitted by SquirrelMail to the mail servers during the normal use of this application (mailbox management, e-mail reading and sending, etc.) facilitates that an authenticate malicious user could inject arbitrary IMAP/SMTP commands into the mail servers used by SquirrelMail across parameters used by the webmail front-end in its communication with these mail servers.
This is become dangerous because the injection of these commands allows an intruder to evade restrictions imposed at application level, and exploit vulnerabilities that could exist in the mail servers through IMAP/SMTP commands.
Impact:
The IMAP/SMTP command injection allow relay, SPAM, exploit IMAP and SMTP vulnerabilities in the mail servers and evade all the restrictions at the application layer.
Solution:
Replace r and n from $mailbox in the function sqimap_mailbox_select.
Zakrpa: www.squirrelmail.org/security/issue/2006-02-15
Dopuna: 11 Mar 2006 18:54
više informacija, proof of concept, example:
astalavista.org
|
