From: Brian G. P. <br...@br...> - 2003-12-26 03:06:55
|
p dont think said: > http://www.bugtraq.org/advisories/_BSSADV-0001.txt > > Brian, sorry, don't have your email handy at the moment, > hoping you see this message. Paul, I'm looking into this, and I'm not sure about the validity of this vulnerability at all. I'd like another pair of eyes on it, if I can impose on you. The address passed in to us on the to, cc, or bcc line is passed to function gpg_parse_address. You can see the code here: http://www.braverock.com/cvs/viewcvs.cgi/gpg/gpg_encrypt_functions.php The gpg_parse_address function starts at line 546. Under SM 1.4, we call the SM core function rfc822Header->parseAddress. Under SM 1.2, we call expandRcptAddrs(parseAddrs($send_to_bcc)) Under both SM 1.2 and SM 1.4, we do some regex matching that I cribbed from the SM code to make sure it is a valid email address. An attempt to use the hack described in the bugtraq report: <quote> Adding a ";command;" to the To: line of a newly created e-mail and then clicking "encrypt now" will execute the command as the Apache user on recent versions of Squirrelmail, including the current CVS version. Example: To: ;echo "YO, dudes. Static analysis ain't rocket science." >> /tmp/message; <click encrypt now to execute!> </quote> Produces the error message: /tmp/me...@br...: skipped: public key not found and DOES NOT result in a file being written in /tmp. so, I can't recreate the supposed vulnerability. Any help from the community would be appreciated. If there is a vulnerability, I certainly want to resolve it. If there isn't one, I would like to refute it ASAP. Regards, - Brian |