Horde/IMP versus Squirrelmail

Steven Champeon schampeo at hesketh.com
Tue May 24 15:18:07 EDT 2005 

on Tue, May 24, 2005 at 02:55:47PM -0400, Matt Pusateri wrote:
> On Tue, May 24, 2005 11:47 am, Steven Champeon said:
> <snip>
> >
> > Well, I dunno about Horde/IMP, but it seems like nearly all of the
> > phishing scams I see here (on the order of a dozen or so a day) and
> > 419
> > scams (on the order of hundreds a day) come from compromised boxes
> > running Squirrelmail. The ~30 listed vulnerabilities at security-focus
> > don't exactly compel confidence, either. Seems like a pretty good way
> > to
> > unwittingly get yourself into the world spam/scam conspiracy to me.
> > But
> > maybe installing Maia Mailguard in front of it will help.
> 
> 
> Ok, First off I think your ~30 stats are a little mis-leading.  I say
> this b/c I searched Security-Focus for SM advisories and got 39 hits. 
> But some advisories were listed more than once for the same
> vulnerability, such as when Fedora Core 2 & 3 both put out new rpm's
> that is being shown as two hits.  Samething with other distro's as
> well.  Also some of the vulnerabilities were for PHP, which can affect
> SM, but doesn't necessarily.

Shrug. I searched for vulnerabilities, not vendor advisories, and saw
around two dozen. It's easily looked up, though difficult to link to.

> I've been using SM for at least 2 years and the majority of
> vulnerabilites have been cross site scripting vulnerabilities.  Since
> SM is a mail client only, I find it hard to believe that SM itself is
> responsible for all the Scam emails you have been getting. 

I don't follow - seems to me that mail clients are what are used to send
mail. Given that it needs to be sent to be received or relayed, I don't
see your point. 

> I find it more plausable that the SM box is also an open relay more
> than SM being used to unknowingly send Spam/phishing emails.

So why would the messages contain headers like this? From this month
alone:

Received: from 81.139.1.3 ([81.139.1.3])
        (SquirrelMail authenticated user koinadug)
        by www.koinadugu.com with HTTP;
--
Reply-To: pm2005 at mail.az
User-Agent: SquirrelMail/1.4.4
MIME-Version: 1.0
--
Received: from 81.139.1.3 ([81.139.1.3])
        (SquirrelMail authenticated user koinadug)
        by www.koinadugu.com with HTTP;
--
Reply-To: pm2005 at mail.az
User-Agent: SquirrelMail/1.4.4
MIME-Version: 1.0
--
Received: from 81.139.37.47 ([81.139.37.47])
        (SquirrelMail authenticated user freetown)
        by www.freetown.me.uk with HTTP;
--
Reply-To: pm_2005 at mail.az
User-Agent: SquirrelMail/1.4.4
MIME-Version: 1.0
--
Received: from 81.133.144.139
        (SquirrelMail authenticated user jonnah at mailbg.com)
        by www.mailbg.com with HTTP;
--
To: jonnah at mailbg.com
User-Agent: SquirrelMail/1.4.4
MIME-Version: 1.0
--
To: azuka2 at weed.com
User-Agent: SquirrelMail/1.4.4
MIME-Version: 1.0

Looks to me like SM 1.4.4 is vulnerable to exploit or the server is
configured to allow free webmail account signups for criminals. 

> But that of course would be the mta not the mua that is the problem. I
> am also not aware of any open vulnerabilities in SM, so pretty much
> any un patched box would exhibit the same problems not just SM.

So, I guess all the mail I receive with "SquirrelMail" in the X-Mailer,
User-Agent, and Received: headers must have been sent via an open relay
on the same box as the SM install, but doesn't have anything to do with
SM? Come on.

> I have interpreted from you messsage that somehow you believe the SM
> code to be insecure such as to allow remotely run scripts to take
> advantage of some SM security hole.  If you indeed know of some
> problem, I would hope you would bring it to the attention of the SM
> developers so it can be patched, otherwise you are unjustly crying
> wolf.

I know of at least a couple dozen "problems". Bringing them to the
developers notice has presumably already been done, by the Bugtraq
folks. They date back to 2001, with the latest in March.

Seems to me that running software that enables remote sending of mail
without properly securing it against fraudsters is irresponsible. I just
see a lot of the 419/phish scam mail coming from hosts obviously running
SquirrelMail, apparently sent by authenticated SM users. 

Draw your own conclusions.

 2005-03-29:  SquirrelMail Multiple Remote Input Validation Vulnerabilities
 2005-03-18:  SquirrelMail S/MIME Plug-in Remote Command Execution Vulnerability
 2005-03-14:  SquirrelMail URL Remote Code Execution Vulnerability
 2005-02-04:  SquirrelMail Vacation Plugin FTPFile Input Validation Vulnerability
 2005-01-26:  SquirrelMail decodeHeader HTML Injection Vulnerability
 2004-10-02:  SquirrelMail Email Header HTML Injection Vulnerability
 2004-10-02:  SquirrelMail Folder Name Cross-Site Scripting Vulnerability
 2004-10-02:  SquirrelMail Unspecified SQL Injection Vulnerability
 2004-08-24:  SquirrelMail Change_Passwd Plug-in Buffer Overrun Vulnerability
 2004-08-12:  Multiple SquirrelMail Cross Site Scripting Vulnerabilities
 2004-08-12:  SquirrelMail From Email Header HTML Injection Vulnerability
 2003-12-26:  Squirrelmail G/PGP Encryption Plugin Remote Command Execution Vulnerability
 2003-10-03:  SquirrelMail CSS JavaScript Expression MSIE Script Code Injection Vulnerability
 2003-06-24:  Squirrelmail Multiple Remote Vulnerabilities
 2003-03-05:  SquirrelMail global.php Cross Site Scripting Vulnerability
 2003-03-05:  SquirrelMail read_body.php Cross Site Scripting Vulnerability
 2002-11-11:  SquirrelMail Options.PHP Web Root Path Disclosure Vulnerability
 2002-11-11:  SquirrelMail Multiple Cross Site Scripting Vulnerablities
 2002-05-03:  SquirrelMail SquirrelSpell Remote Shell Command Execution Vulnerability
 2002-05-03:  SquirrelMail Theme Remote Command Execution Vulnerability
 2002-05-03:  SquirrelMail Message Header Field Script Injection Vulnerability
 2002-05-03:  SquirrelMail HTML Attachment Script Injection Vulnerability
 2002-01-25:  SquirrelMail Malicious HTML Formatted Email Vulnerability
 2001-07-04:  SquirrelMail Remote Command Execution Vulnerability

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com
join us!   http://hesketh.com/about/careers/account_manager.html    join us!

More information about the ncsa-discussion mailing list