Birk an me basically fully disclosed a 0day in Squirrelmail yesterday. This is a short Q&A to answer the most common questions about the issue to calm you all down a little bit. 😉
What is the punchline, what do I need to know?
An attacker able to exploit this vulnerability can extract files of the server the application is running on. This may include configuration files, log files and additionally all files that are readable for all users on the system. This issue is post-authentication. That means an attacker would need valid credentials for the application to log in or needs to exploit an additional vulnerability of which we are not aware of at this point of time.
An attacker would also be able to delete files on the system, if the user running the application has the rights to do so.
Does this issue affect me?
Likely yes, if you are using Squirrelmail. We checked the latest development version, which is 1.5.2-svn and the latest version available for download at this point of time, 1.4.22. Both contain the vulnerable code.
What are the technical details for this vulnerability?
There is an arbitrary read of files due to missing sanitization of user supplied input. An attacker can use a path traversal to reference arbitrary files from the target server getting attached to a mail. The parameter supplied by the attacker will be unserialized by the application and it contains the path to the temporary file that is supposed to be attached. The attacker fully controls that parameter and can set it to arbitrary values. One vulnerable code path ends up in the Deliver.class.php line 284:
284 $filename = $message->att_local_name;
294 $file_has_long_lines = file_has_long_lines($hashed_attachment_dir
295 . '/' . $filename, 990);
297 $file = fopen ($hashed_attachment_dir . '/' . $filename, 'rb');
The reference to $message->att_local_name in line 284 is controlled by the attacker. The resulting call to fopen contains the attacker supplied path traversal, referencing an arbitrary file. The file will be attached to a mail and can be easily extracted by the attacker.
The file delete works in the same fashion.
Why did you go full disclosure with this?
We communicated this issue to Squirrelmail on 21.05.2017. We have since tried to reach out via additional mails and Twitter and have received no response. This is why we decided to fully disclose this issue. As this issue is post-authentication, we assume that the resulting damage from this full disclosure will likely be restricted. For more discussions on disclosures I would like to refer to Another Perspective in Vulnerability Disclosure, Sending Mixed Signals and Reflections on Vulnerability Disclosure.