Vulnerabilities > CVE-2005-0103 - Code Injection vulnerability in Squirrelmail

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
squirrelmail
CWE-94
nessus

Summary

PHP remote file inclusion vulnerability in webmail.php in SquirrelMail before 1.4.4 allows remote attackers to execute arbitrary PHP code by modifying a URL parameter to reference a URL on a remote web server that contains the code.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating User-Controlled Variables
    This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.

Nessus

  • NASL familyCGI abuses
    NASL idSQUIRRELMAIL_144.NASL
    descriptionThe target is running at least one instance of SquirrelMail whose version number suggests it is affected by one or more cross-site scripting vulnerabilities : - Insufficient escaping of integer variables in webmail.php allows a remote attacker to include HTML / script into a SquirrelMail webpage (affects 1.4.0-RC1 - 1.4.4-RC1). - Insufficient checking of incoming URL vars in webmail.php allows an attacker to include arbitrary remote web pages in the SquirrelMail frameset (affects 1.4.0-RC1 - 1.4.4-RC1). - A recent change in prefs.php allows an attacker to provide a specially crafted URL that could include local code into the SquirrelMail code if and only if PHP
    last seen2020-06-01
    modified2020-06-02
    plugin id16228
    published2005-01-24
    reporterThis script is Copyright (C) 2005-2018 George A. Theall
    sourcehttps://www.tenable.com/plugins/nessus/16228
    titleSquirrelMail < 1.4.4 Multiple Vulnerabilities
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200501-39.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200501-39 (SquirrelMail: Multiple vulnerabilities) SquirrelMail fails to properly sanitize certain strings when decoding specially crafted strings, which can lead to PHP file inclusion and XSS. Insufficient checking of incoming URLs in prefs.php (CAN-2005-0075) and in webmail.php (CAN-2005-0103). Insufficient escaping of integers in webmail.php (CAN-2005-0104). Impact : By sending a specially crafted URL, an attacker can execute arbitrary code from the local system with the permissions of the web server. Furthermore by enticing a user to load a specially crafted URL, it is possible to display arbitrary remote web pages in Squirrelmail
    last seen2020-06-01
    modified2020-06-02
    plugin id16430
    published2005-02-14
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/16430
    titleGLSA-200501-39 : SquirrelMail: Multiple vulnerabilities
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_79630C0C8DCC45D099084087FE1D618C.NASL
    descriptionA SquirrelMail Security Advisory reports : SquirrelMail 1.4.4 has been released to resolve a number of security issues disclosed below. It is strongly recommended that all running SquirrelMail prior to 1.4.4 upgrade to the latest release. Remote File Inclusion Manoel Zaninetti reported an issue in src/webmail.php which would allow a crafted URL to include a remote web page. This was assigned CAN-2005-0103 by the Common Vulnerabilities and Exposures. Cross Site Scripting Issues A possible cross site scripting issue exists in src/webmail.php that is only accessible when the PHP installation is running with register_globals set to On. This issue was uncovered internally by the SquirrelMail Development team. This isssue was assigned CAN-2005-0104 by the Common Vulnerabilities and Exposures. A second issue which was resolved in the 1.4.4-rc1 release was uncovered and assigned CAN-2004-1036 by the Common Vulnerabilities and Exposures. This issue could allow a remote user to send a specially crafted header and cause execution of script (such as JavaScript) in the client browser. Local File Inclusion A possible local file inclusion issue was uncovered by one of our developers involving custom preference handlers. This issue is only active if the PHP installation is running with register_globals set to On.
    last seen2020-06-01
    modified2020-06-02
    plugin id18992
    published2005-07-13
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/18992
    titleFreeBSD : squirrelmail -- XSS and remote code injection vulnerabilities (79630c0c-8dcc-45d0-9908-4087fe1d618c)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2005-135.NASL
    descriptionAn updated Squirrelmail package that fixes several security issues is now available for Red Hat Enterprise Linux 3. SquirrelMail is a standards-based webmail package written in PHP4. Jimmy Conner discovered a missing variable initialization in Squirrelmail. This flaw could allow potential insecure file inclusions on servers where the PHP setting
    last seen2020-06-01
    modified2020-06-02
    plugin id16370
    published2005-02-10
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/16370
    titleRHEL 3 : squirrelmail (RHSA-2005:135)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2005-099.NASL
    descriptionAn updated Squirrelmail package that fixes several security issues is now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. SquirrelMail is a standards-based webmail package written in PHP4. Jimmy Conner discovered a missing variable initialization in Squirrelmail. This flaw could allow potential insecure file inclusions on servers where the PHP setting
    last seen2020-06-01
    modified2020-06-02
    plugin id17185
    published2005-02-22
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/17185
    titleRHEL 4 : squirrelmail (RHSA-2005:099)

Oval

accepted2013-04-29T04:07:36.585-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
descriptionPHP remote file inclusion vulnerability in webmail.php in SquirrelMail before 1.4.4 allows remote attackers to execute arbitrary PHP code by modifying a URL parameter to reference a URL on a remote web server that contains the code.
familyunix
idoval:org.mitre.oval:def:10670
statusaccepted
submitted2010-07-09T03:56:16-04:00
titlePHP remote file inclusion vulnerability in webmail.php in SquirrelMail before 1.4.4 allows remote attackers to execute arbitrary PHP code by modifying a URL parameter to reference a URL on a remote web server that contains the code.
version26

Redhat

advisories
  • rhsa
    idRHSA-2005:099
  • rhsa
    idRHSA-2005:135
rpms
  • squirrelmail-0:1.4.3a-9.EL4
  • squirrelmail-0:1.4.3a-9.EL3