CVE-2006-0377
CVSS5.0
发布时间 :2006-02-23 19:02:00
修订时间 :2011-03-07 21:29:54
NMCOP    

[原文]CRLF injection vulnerability in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to inject arbitrary IMAP commands via newline characters in the mailbox parameter of the sqimap_mailbox_select command, aka "IMAP injection."


[CNNVD]SquirrelMail IMAP/SMTP命令注入漏洞(CNNVD-200602-359)

        SquirrelMail是一款流行的基于WEB的邮件服务程序。
        SquirrelMail提供了通过IMAP和SMTP协议与邮件服务器交互的图形界面。在正常使用这些应用的时候,SquirrelMail没有正确的验证传输给邮件服务器的命令和信息,这允许恶意的认证用户在通讯过程中使用SquirrelMail Webmail前端的sqimap_mailbox_select命令参数向邮件服务器注入任意IMAP/SMTP命令。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:squirrelmail:squirrelmail:1.4.6_rc1
cpe:/a:squirrelmail:squirrelmail:1.4.3a
cpe:/a:squirrelmail:squirrelmail:1.4.4
cpe:/a:squirrelmail:squirrelmail:1.4_rc1
cpe:/a:squirrelmail:squirrelmail:1.4.3_r3
cpe:/a:squirrelmail:squirrelmail:1.4.4_rc1
cpe:/a:squirrelmail:squirrelmail:1.4.1
cpe:/a:squirrelmail:squirrelmail:1.4.3_rc1
cpe:/a:squirrelmail:squirrelmail:1.4.3
cpe:/a:squirrelmail:squirrelmail:1.4.2
cpe:/a:squirrelmail:squirrelmail:1.4
cpe:/a:squirrelmail:squirrelmail:1.4.5

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:11470CRLF injection vulnerability in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to inject arbitrary IMAP commands via newline characters...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0377
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0377
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200602-359
(官方数据源) CNNVD

- 其它链接及资源

http://www.squirrelmail.org/security/issue/2006-02-15
(PATCH)  CONFIRM  http://www.squirrelmail.org/security/issue/2006-02-15
http://securitytracker.com/id?1015662
(PATCH)  SECTRACK  1015662
http://xforce.iss.net/xforce/xfdb/24849
(UNKNOWN)  XF  squirrelmail-mailbox-imap-injection(24849)
http://www.vupen.com/english/advisories/2006/0689
(UNKNOWN)  VUPEN  ADV-2006-0689
http://www.securityfocus.com/bid/16756
(UNKNOWN)  BID  16756
http://secunia.com/advisories/18985
(VENDOR_ADVISORY)  SECUNIA  18985
http://www.redhat.com/support/errata/RHSA-2006-0283.html
(UNKNOWN)  REDHAT  RHSA-2006:0283
http://www.redhat.com/archives/fedora-announce-list/2006-March/msg00004.html
(UNKNOWN)  FEDORA  FEDORA-2006-133
http://www.novell.com/linux/security/advisories/2006_05_sr.html
(UNKNOWN)  SUSE  SUSE-SR:2006:005
http://www.mandriva.com/security/advisories?name=MDKSA-2006:049
(UNKNOWN)  MANDRIVA  MDKSA-2006:049
http://www.gentoo.org/security/en/glsa/glsa-200603-09.xml
(UNKNOWN)  GENTOO  GLSA-200603-09
http://www.debian.org/security/2006/dsa-988
(UNKNOWN)  DEBIAN  DSA-988
http://secunia.com/advisories/20210
(UNKNOWN)  SECUNIA  20210
http://secunia.com/advisories/19960
(UNKNOWN)  SECUNIA  19960
http://secunia.com/advisories/19205
(UNKNOWN)  SECUNIA  19205
http://secunia.com/advisories/19176
(UNKNOWN)  SECUNIA  19176
http://secunia.com/advisories/19131
(UNKNOWN)  SECUNIA  19131
http://secunia.com/advisories/19130
(UNKNOWN)  SECUNIA  19130
ftp://patches.sgi.com/support/free/security/advisories/20060501-01-U.asc
(UNKNOWN)  SGI  20060501-01-U

- 漏洞信息

SquirrelMail IMAP/SMTP命令注入漏洞
中危 输入验证
2006-02-23 00:00:00 2006-02-24 00:00:00
远程  
        SquirrelMail是一款流行的基于WEB的邮件服务程序。
        SquirrelMail提供了通过IMAP和SMTP协议与邮件服务器交互的图形界面。在正常使用这些应用的时候,SquirrelMail没有正确的验证传输给邮件服务器的命令和信息,这允许恶意的认证用户在通讯过程中使用SquirrelMail Webmail前端的sqimap_mailbox_select命令参数向邮件服务器注入任意IMAP/SMTP命令。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://www.squirrelmail.org/security/issue/2006-02-15

- 漏洞信息 (F44579)

Gentoo Linux Security Advisory 200603-9 (PacketStormID:F44579)
2006-03-13 00:00:00
Gentoo  security.gentoo.org
advisory,php,imap,xss
linux,gentoo
CVE-2006-0188,CVE-2006-0195,CVE-2006-0377
[点击下载]

Gentoo Linux Security Advisory GLSA 200603-09 - SquirrelMail does not validate the right_frame parameter in webmail.php, possibly allowing frame replacement or cross-site scripting. Martijn Brinkers and Scott Hughes discovered that MagicHTML fails to handle certain input correctly, potentially leading to cross-site scripting. Vicente Aguilera reported that the sqimap_mailbox_select function did not strip newlines from the mailbox or subject parameter, possibly allowing IMAP command injection. Versions less than 1.4.6 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200603-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Low
     Title: SquirrelMail: Cross-site scripting and IMAP command
            injection
      Date: March 12, 2006
      Bugs: #123781
        ID: 200603-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

SquirrelMail is vulnerable to several cross-site scripting
vulnerabilities and IMAP command injection.

Background
==========

SquirrelMail is a webmail package written in PHP. It supports IMAP and
SMTP protocols.

Affected packages
=================

    -------------------------------------------------------------------
     Package                   /  Vulnerable  /             Unaffected
    -------------------------------------------------------------------
  1  mail-client/squirrelmail       < 1.4.6                   >= 1.4.6

Description
===========

SquirrelMail does not validate the right_frame parameter in
webmail.php, possibly allowing frame replacement or cross-site
scripting (CVE-2006-0188). Martijn Brinkers and Scott Hughes discovered
that MagicHTML fails to handle certain input correctly, potentially
leading to cross-site scripting (only Internet Explorer,
CVE-2006-0195). Vicente Aguilera reported that the
sqimap_mailbox_select function did not strip newlines from the mailbox
or subject parameter, possibly allowing IMAP command injection
(CVE-2006-0377).

Impact
======

By exploiting the cross-site scripting vulnerabilities, an attacker can
execute arbitrary scripts running in the context of the victim's
browser. This could lead to a compromise of the user's webmail account,
cookie theft, etc. A remote attacker could exploit the IMAP command
injection to execute arbitrary IMAP commands on the configured IMAP
server.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All SquirrelMail users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=mail-client/squirrelmail-1.4.6"

Note: Users with the vhosts USE flag set should manually use
webapp-config to finalize the update.

References
==========

  [ 1 ] CVE-2006-0188
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0188
  [ 2 ] CVE-2006-0195
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0195
  [ 3 ] CVE-2006-0377
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0377

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200603-09.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0
    

- 漏洞信息 (F44274)

SquirrelFlaws.txt (PacketStormID:F44274)
2006-03-02 00:00:00
Vicente Aguilera Diaz  
exploit,imap
CVE-2006-0377
[点击下载]

SquirrelMail versions 1.4.5 and below suffer from an IMAP injection flaw. Versions 1.2.7 and below suffer from a SMTP injection flaw. Details provided.

=============================================
INTERNET SECURITY AUDITORS ALERT 2006-002
- Original release date: February 27, 2006
- Last revised: February 27, 2006
- Discovered by: Vicente Aguilera Diaz
- Severity: 3/5
=============================================
I. VULNERABILITY
-------------------------
IMAP/SMTP Injection in SquirrelMail


II. BACKGROUND
-------------------------
SquirrelMail is a standards-based webmail package written in PHP4. It
includes built-in pure PHP support for the IMAP and SMTP protocols,
and all pages render in pure HTML 4.0 (with no JavaScript required)
for maximum compatibility across browsers. It has very few
requirements and is very easy to configure and install. SquirrelMail
has all the functionality you would want from an email client,
including strong MIME support, address books, and folder manipulation.
The product homepage is http://www.squirrelmail.org.


III. DESCRIPTION
-------------------------
SquirrelMail provides a graphical interface to interact with mail
servers across the IMAP and SMTP protocols.
Improper command and information validation transmitted by
SquirrelMail to the mail servers during the normal use of this
application (mailbox management, e-mail reading and sending, etc.)
facilitates that an authenticate malicious user could inject arbitrary
IMAP/SMTP commands into the mail servers used by SquirrelMail across
parameters used by the webmail front-ent in its communication with
these mail servers.
This is become dangerous because the injection of these commands
allows an intruder to evade restrictions imposed at application level,
and exploit vulnerabilities that could exist in the mail servers
through IMAP/SMTP commands.


IV. PROOF OF CONCEPT
-------------------------

== IMAP example (1.4.2 version) =============
SquirrelMail Vulnerable parameter: "mailbox"

When a user clicks in the subject of an e-mail, he creates a GET
request as:
http://<victim>/src/read_body.php?mailbox=INBOX&passed_id=1&startMessage=1&show_more=0

A malicious user can modify the value of the "mailbox" parameter and
inject any IMAP command.
The IMAP command injection has the following structure:
http://<victim>/src/read_body.php?mailbox=INBOX%22%0D%0<ID>
<INJECT_IMAP_COMMAND_HERE>%0D%0A<ID>
%20SELECT%20%22INBOX&passed_id=<CODE>&startMessage=1

Example:
Injection of the RENAME IMAP command across the "mailbox" parameter:
http://<victim>/src/read_body.php?mailbox=INBOX%22%0D%0AZ900%20RENAME%20Trash%20Basura%0d%0aZ910%20SELECT%20%22INBOX&passed_id=22197&startMessage=1



== SMTP example (1.2.7 version) =============
SquirrelMail Vulnerable parameter: "subject" (and possibly others)

When a user send a message, he create a POST request like:
POST http://<victim>/src/compose.php HTTP/1.1

...
-----------------------------84060780712450133071594948441
Content-Disposition: form-data; name="subject"

Proof of Concept
-----------------------------84060780712450133071594948441
...

A malicious user can modify the value of the "subject" parameter and
inject any SMTP command.
Example: Relay from a non-existent e-mail address

...
-----------------------------84060780712450133071594948441
Content-Disposition: form-data; name="subject"

Proof of Concept%0d%0a.%0d%0a%0d%0amail from:
hacker@domain.com%0d%0arcpt to:
victim@otherdomain.com%0d%0adata%0d%0aThis is a proof of concept of
the SMTP command injection in SquirrelMail%0d%0a.%0d%0a
-----------------------------84060780712450133071594948441
...


V. BUSINESS IMPACT
-------------------------
The IMAP/SMTP command injection allow relay, SPAM, exploit IMAP and
SMTP vulnerabilities in the mail servers and evade all the
restrictions at the application layer.


VI. SYSTEMS AFFECTED
-------------------------
IMAP Injection: All versions prior to 1.4.6.
SMTP Injection: SquirrelMail 1.2.7 (and older versions).


VII. SOLUTION
-------------------------
Replace \r and \n from $mailbox in the function sqimap_mailbox_select.
Patch available: http://www.squirrelmail.org/security/issue/2006-02-15


VIII. REFERENCES
-------------------------
- http://www.squirrelmail.org/security/issue/2006-02-15
- CVE-2006-0377


IX. CREDITS
-------------------------
This vulnerability has been discovered and reported by Vicente
Aguilera Diaz (vaguilera=at=isecauditors=dot=com).


X. REVISION HISTORY
-------------------------
January 12, 2006:  Initial release
January 20, 2006:  Disclosure timeline updated
February 16, 2006: Disclosure timeline updated
February 27, 2006: Disclosure timeline updated


XI. DISCLOSURE TIMELINE
-------------------------
December, 2005     Vulnerability acquired by Vicente Aguilera Diaz
                   (Internet Security Auditors)
January 12, 2006   Initial vendor notification sent.
January 19, 2006   The vulnerability is fixed in 1.4.6 cvs and
                   1.5.1 cvs.
February 15, 2006  The vendor published the vulnerability in the
                   security section.
February 25, 2006  The CVE-2006-0377 is updated.


    

- 漏洞信息

23386
SquirrelMail sqimap_mailbox_select mailbox Parameter Arbitrary IMAP Command Injection

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-02-15 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 1.4.6 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站