Menu

Search for hundreds of thousands of exploits

"SquirrelMail < 1.4.5-RC1 - Arbitrary Variable Overwrite"

Author

Exploit author

"GulfTech Security"

Platform

Exploit platform

php

Release date

Exploit published date

2015-07-14

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
SquirrelMail Arbitrary Variable Overwrite

Vendor: The SquirrelMail Project Team
Product: SquirrelMail
Version: <= 1.4.5-RC1
Website: http://www.squirrelmail.org/

BID: 14254 
CVE: CVE-2005-2095 
SECUNIA: 16058 
PACKETSTORM: 38709 

Description:
SquirrelMail is a standards-based webmail package written in php. It includes built-in pure PHP support for the IMAP and SMTP protocols. Unfortunately there is a fairly serious variable handling issue in one of the core SquirrelMail scripts that can allow an attacker to take control of variables used within the script, and influence functions and actions within the script. An updated version of SquirrelMail can be downloaded from their official website. Users are advised to update their SquirrelMail installations as soon as possible. 


Variable Overwriting:
There is a fairly serious variable overwriting vulnerability in one of the core SquirrelMail scripts. The vulnerable script makes use of an extract() call in a careless manner, thus allowing us to overwrite any variables declared before the fault extract call is made. Let's have a look at /src/options_identities.php

/**
 * Path for SquirrelMail required files.
 * @ignore
 */
define('SM_PATH','../');

/* SquirrelMail required files. */
require_once(SM_PATH . 'include/validate.php');
require_once(SM_PATH . 'functions/global.php');
require_once(SM_PATH . 'functions/display_messages.php');
require_once(SM_PATH . 'functions/html.php');

/* POST data var names are dynamic because 
   of the possible multiple idents so lets get
   them all
*/

if (!empty($_POST)) {
    extract($_POST);
}

As we can see from the above block of code, the careless extract() call is made after a majority of the important variables used in the application are loaded, thus making them vulnerable to being easily overwritten. In short, by submitting the variable(s) of the attackers choosing a malicious user could easily influence many important variables, and function calls. 


Solution:
Thanks to Jonathan Angliss and the SquirrelMail team for a prompt resolution to this vulnerability. In regards to the updated files 

http://www.squirrelmail.org/download.php 

The latest version of SquirrelMail 1.4.5 can be downloaded from the link above, and users are advised to upgrade as soon as possible. 


Credits:
James Bercegay of the GulfTech Security Research Team
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting" webapps php "Hemant Patidar"
2020-12-02 "WordPress Plugin Wp-FileManager 6.8 - RCE" webapps php "Mansoor R"
2020-12-02 "WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution" webapps php zetc0de
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover" webapps php "Mufaddal Masalawala"
2020-12-02 "Simple College Website 1.0 - 'page' Local File Inclusion" webapps php Mosaaed
2020-12-02 "Car Rental Management System 1.0 - SQL Injection / Local File include" webapps php Mosaaed
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
2020-12-02 "WonderCMS 3.1.3 - Authenticated Remote Code Execution" webapps php zetc0de
2020-12-01 "Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS" webapps php yunaranyancat
Release Date Title Type Platform Author
2018-01-15 "D-Link DNS-325 ShareCenter < 1.05B03 - Multiple Vulnerabilities" webapps php "GulfTech Security"
2018-01-15 "D-Link DNS-343 ShareCenter < 1.05 - Command Injection" webapps php "GulfTech Security"
2018-01-08 "Synology Photostation < 6.7.2-3429 - Multiple Vulnerabilities" webapps php "GulfTech Security"
2018-01-03 "WDMyCloud < 2.30.165 - Multiple Vulnerabilities" remote hardware "GulfTech Security"
2018-01-03 "D-Link DNS-320 ShareCenter < 1.06 - Backdoor Access" remote hardware "GulfTech Security"
2016-10-04 "Mambo < 4.5.4 - SQL Injection" webapps php "GulfTech Security"
2016-08-28 "CubeCart < 3.0.12 - Multiple Vulnerabilities" webapps php "GulfTech Security"
2016-08-18 "X-Cart < 4.1.3 - Arbitrary Variable Overwrite" webapps php "GulfTech Security"
2016-08-14 "Claroline < 1.7.7 - Arbitrary File Inclusion" webapps php "GulfTech Security"
2016-08-11 "SquirrelMail < 1.4.7 - Arbitrary Variable Overwrite" webapps php "GulfTech Security"
2016-03-05 "PHPLib < 7.4 - SQL Injection" webapps php "GulfTech Security"
2016-03-02 "Gallery 2 < 2.0.2 - Multiple Vulnerabilities" webapps php "GulfTech Security"
2016-02-26 "phpRPC < 0.7 - Remote Code Execution" webapps php "GulfTech Security"
2016-02-24 "Mambo < 4.5.3h - Multiple Vulnerabilities" webapps php "GulfTech Security"
2016-02-21 "PEAR LiveUser < 0.16.8 - Arbitrary File Access" webapps php "GulfTech Security"
2016-02-19 "Geeklog < 1.4.0 - Multiple Vulnerabilities" webapps php "GulfTech Security"
2016-02-18 "ADOdb < 4.71 - Cross Site Scripting" webapps php "GulfTech Security"
2015-07-21 "XPCOM - Race Condition" webapps php "GulfTech Security"
2015-07-14 "SquirrelMail < 1.4.5-RC1 - Arbitrary Variable Overwrite" webapps php "GulfTech Security"
2015-07-02 "PHPXMLRPC < 1.1 - Remote Code Execution" webapps php "GulfTech Security"
2015-07-01 "PEAR XML_RPC < 1.3.0 - Remote Code Execution" webapps php "GulfTech Security"
2015-06-29 "XOOPS < 2.0.11 - Multiple Vulnerabilities" webapps php "GulfTech Security"
2015-05-28 "Peercast < 0.1211 - Format String" dos windows "GulfTech Security"
2015-05-16 "Burning Board < 2.3.1 - SQL Injection" webapps php "GulfTech Security"
2015-05-05 "Invision Power Board (IP.Board) < 2.0.3 - Multiple Vulnerabilities" webapps php "GulfTech Security"
2015-04-19 "AZBB < 1.0.07d - Multiple Vulnerabilities" webapps php "GulfTech Security"
2015-01-03 "PhotoPost < 4.85 - Multiple Vulnerabilities" webapps php "GulfTech Security"
2015-01-02 "ReviewPost < 2.84 - Multiple Vulnerabilities" webapps php "GulfTech Security"
2015-01-01 "PhotoPost Classifieds < 2.01 - Multiple Vulnerabilities" webapps php "GulfTech Security"
2014-12-29 "PHP-Calendar < 0.10.1 - Arbitrary File Inclusion" webapps php "GulfTech Security" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected