[VIM] SquirrelMail GPG Plugin Vulnerabilities

George A. Theall theall at tenablesecurity.com
Tue Jul 10 01:46:25 UTC 2007 

I'm trying to make sense of the spate of recent vulnerabilities 
associated with the GPG Plugin for SquirrelMail.

o There's the WabiSabiLabi advisory (ZD-00000004) that sparked the 
interest. It supposedly affects version 2.0 of the plugin, is remotely 
exploitable, and allows for command execution.

o The author released version 2.1 of the plugin on 7/7 and says it 
"contains security fixes to prevent possible command injection attacks 
by local authenticated users against the webserver user." I don't find 
any reference in the release or on the author's site to the WabiSabiLabi 
advisory per se, and the CVS commit log for the software, at 
<http://www.braverock.com/gpg/statcvs/commit_log.html>, shows only a 
single change in 2007, made on 7/7, for a local file include issue in 
the 'gpg_pop_init.php' script as noted by Stefan Esser. [A quick check 
shows that it involves the 'MOD' parameter and can be exploited remotely 
without authentication.]

o http://lists.immunitysec.com/pipermail/dailydave/2007-July/004448.html 
is a post made by Charlie Miller on 7/6 to Daily Dave in which he 
suggests the issue underlying ZD-00000004 might involve $passphrase in 
gpg_sign_attachment() although he has not actually verified it.

o http://lists.immunitysec.com/pipermail/dailydave/2007-July/004452.html 
is a post made Nicob on 7/8 to Daily Dave that mentions an attack vector 
fixed in version 2.1 but provides no specifics.

o http://lists.immunitysec.com/pipermail/dailydave/2007-July/004453.html 
is a post from Stefan Esser on 7/9 to Daily Dave that asserts there are 
several more shell command execution flaws in version 2.1 that the 
vendor is aware of. Unfortunately, he provides no specifics.

o http://lists.immunitysec.com/pipermail/dailydave/2007-July/004456.html 
is a post made by Nicob on 7/9 to Daily Dave that details an attack 
vector involving the gpg_check_sign_pgp_mime() function in 
gpg_hook_functions.php.

So, how are you VDB folks sorting all this out? I've noticed so far that 
Bugtraq 24782 maps to WabiSabiLabi's advisory (although oddly it claims 
the issue has now been resolved with version 2.1 of the plugin) and 
24828 to Esser's posting.

Am I getting all this straight?

George
-- 
theall at tenablesecurity.com

More information about the VIM mailing list