[UNIX] Squirrelmail compose.php Variable Overwriting

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Squirrelmail compose.php Variable Overwriting
------------------------------------------------------------------------


SUMMARY

A Squirrelmail logged in user could overwrite random variables in 
compose.php, which might make it possible to read/write other users' 
preferences or attachments.

DETAILS

Vulnerable Systems:
 * Squirrelmail version 1.4.0 up to version 1.4.7

Immune Systems:
 * Squirrelmail version 1.4.8

The function that the bug was in, was actually broken in the latest 
release of SquirrelMail. Therefore the simple fix is to just remove that 
function entirely if you don't miss it. The patch below restores the 
functionality (resume a compose session when the user's session expired) 
and fixes the hole.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4019> 
CVE-2006-4019

Patch:
A patch is available from:  
<http://www.squirrelmail.org/patches/sqm1.4.7-expired-post-fix-full.patch> 
http://www.squirrelmail.org/patches/sqm1.4.7-expired-post-fix-full.patch

Index: functions/auth.php
 ===================================================================
RCS file: /cvsroot/squirrelmail/squirrelmail/functions/auth.php,v
retrieving revision 1.34.2.11
diff -u -r1.34.2.11 auth.php
--- functions/auth.php 14 Apr 2006 22:27:07 -0000 1.34.2.11
+++ functions/auth.php 4 Aug 2006 14:17:17 -0000
@@ -60,6 +60,8 @@
             
sqsession_register($session_expired_location,'session_expired_location');
         }
 
+        session_write_close();
+
         // signout page will deal with users who aren't logged
         // in on its own; don't show error here
         //
Index: src/compose.php
 ===================================================================
RCS file: /cvsroot/squirrelmail/squirrelmail/src/compose.php,v
retrieving revision 1.319.2.68
diff -u -r1.319.2.68 compose.php
--- src/compose.php 14 Apr 2006 22:27:08 -0000 1.319.2.68
+++ src/compose.php 4 Aug 2006 14:17:19 -0000
@@ -258,13 +258,19 @@
         sqsession_unregister('session_expired_post');
         session_write_close();
     } else {
-        foreach ($session_expired_post as $postvar => $val) {
-            if (isset($val)) {
-                $$postvar = $val;
-            } else {
-                $$postvar = '';
+        // these are the vars that we can set from the expired composed 
session
+        $compo_var_list = array ( 'send_to', 
'send_to_cc','body','startMessage',
+            
'passed_body','use_signature','signature','attachments','subject','newmail',
+            'send_to_bcc', 'passed_id', 'mailbox', 
'from_htmladdr_search', 'identity',
+            'draft_id', 'delete_draft', 'mailprio', 'edit_as_new', 
'compose_messsages',
+            'composesession', 'request_mdn', 'request_dr');
+
+        foreach ($compo_var_list as $var) {
+            if ( isset($session_expired_post[$var]) && !isset($$var) ) {
+         $$var = $session_expired_post[$var];
             }
         }
+
         $compose_messages = unserialize(urldecode($restoremessages));
         sqsession_register($compose_messages,'compose_messages');
         sqsession_register($composesession,'composesession');
Index: src/login.php
 ===================================================================
RCS file: /cvsroot/squirrelmail/squirrelmail/src/login.php,v
retrieving revision 1.98.2.13
diff -u -r1.98.2.13 login.php
--- src/login.php 2 Jun 2006 15:51:45 -0000 1.98.2.13
+++ src/login.php 4 Aug 2006 14:17:19 -0000
@@ -43,13 +43,24 @@
 }
 $base_uri = sqm_baseuri();
 
-/*
+/**
  * In case the last session was not terminated properly, make sure
- * we get a new one.
+ * we get a new one, but make sure we preserve session_expired_*
  */
 
-sqsession_destroy();
-
+if ( !empty($_SESSION['session_expired_post']) && 
!empty($_SESSION['session_expired_location']) ) {
+    $sep = $_SESSION['session_expired_post'];
+    $sel = $_SESSION['session_expired_location'];
+
+    sqsession_destroy();
+
+    sqsession_is_active();
+    sqsession_register($sep, 'session_expired_post');
+    sqsession_register($sel, 'session_expired_location');
+} else {
+    sqsession_destroy();
+}
+
 header('Pragma: no-cache');
 
 do_hook('login_cookie');
Index: src/redirect.php
 ===================================================================
RCS file: /cvsroot/squirrelmail/squirrelmail/src/redirect.php,v
retrieving revision 1.72.2.11
diff -u -r1.72.2.11 redirect.php
--- src/redirect.php 14 Apr 2006 22:27:08 -0000 1.72.2.11
+++ src/redirect.php 4 Aug 2006 14:17:19 -0000
@@ -146,11 +146,15 @@
 
 if ( sqgetGlobalVar('session_expired_location', 
$session_expired_location, SQ_SESSION) ) {
     sqsession_unregister('session_expired_location');
-    $compose_new_win = getPref($data_dir, $username, 'compose_new_win', 
0);
-    if ($compose_new_win) {
-        $redirect_url = $session_expired_location;
-    } elseif ( strpos($session_expired_location, 'webmail.php') === FALSE 
) {
-        $redirect_url = 
'webmail.php?right_frame='.urldecode($session_expired_location);
+    if ( strpos($session_expired_location, 'compose.php') !== FALSE ) {
+        $compose_new_win = getPref($data_dir, $username, 
'compose_new_win', 0);
+        if ($compose_new_win) {
+            $redirect_url = $session_expired_location;
+        } elseif ( strpos($session_expired_location, 'webmail.php') === 
FALSE ) {
+            $redirect_url = 'webmail.php?right_frame=compose.php';
+        }
+    } else {
+        $redirect_url = 'webmail.php?right_frame=' . 
urldecode($session_expired_location);
     }
     unset($session_expired_location);
 }
Index: src/webmail.php
 ===================================================================
RCS file: /cvsroot/squirrelmail/squirrelmail/src/webmail.php,v
retrieving revision 1.92.2.18
diff -u -r1.92.2.18 webmail.php
--- src/webmail.php 2 Jun 2006 15:51:50 -0000 1.92.2.18
+++ src/webmail.php 4 Aug 2006 14:17:19 -0000
@@ -52,10 +52,6 @@
     $mailbox = 'INBOX';
 }
 
-if ( isset($_SESSION['session_expired_post']) ) {
-    sqsession_unregister('session_expired_post');
-}
-
 if(!sqgetGlobalVar('mailto', $mailto)) {
     $mailto = '';
 }


ADDITIONAL INFORMATION

The information has been provided by James Bercegay of GulfTech Security 
Research.
The original article can be found at:  
<http://www.squirrelmail.org/security/issue/2006-08-11> 
http://www.squirrelmail.org/security/issue/2006-08-11



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.