Re: [SM-PLUGINS] GPG security threat

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

p dont think said:
> http://www.bugtraq.org/advisories/_BSSADV-0001.txt
>
> Brian, sorry, don't have your email handy at the moment,
> hoping you see this message.

Paul,

I'm looking into this, and I'm not sure about the validity of this
vulnerability at all.  I'd like another pair of eyes on it, if I can
impose on you.

The address passed in to us on the to, cc, or bcc line is passed to
function gpg_parse_address.  You can see the code here:

http://www.braverock.com/cvs/viewcvs.cgi/gpg/gpg_encrypt_functions.php

The gpg_parse_address function starts at line 546.

Under SM 1.4, we call the SM core function rfc822Header->parseAddress. 
Under SM 1.2, we call expandRcptAddrs(parseAddrs($send_to_bcc))

Under both SM 1.2 and SM 1.4, we do some regex matching that I cribbed
from the SM code to make sure it is a valid email address.

An attempt to use the hack described in the bugtraq report:

<quote>
Adding a ";command;" to the To: line of a newly created e-mail and then
clicking "encrypt now" will execute the command as the Apache user on
recent versions of Squirrelmail, including the current CVS version.
Example:

To: ;echo "YO, dudes. Static analysis ain't rocket science." >>
/tmp/message; <click encrypt now to execute!>
</quote>

Produces the error message:

/tmp/me...@br...: skipped: public key not found

and DOES NOT result in a file being written in /tmp.

so, I can't recreate the supposed vulnerability.

Any help from the community would be appreciated.  If there is a
vulnerability, I certainly want to resolve it.  If there isn't one, I
would like to refute it ASAP.

Regards,

     - Brian