<<< Date Index >>>     <<< Thread Index >>>

squirrelmail CSRF vulnerability



I. BACKGROUND

SquirrelMail is a standards-based webmail package written in PHP.
It includes built-in pure PHP support for the IMAP and SMTP protocols,
and all pages render in pure HTML 4.0 (with no JavaScript required) 
for maximum compatibility across browsers. It has very few requirements
and is very easy to configure and install. SquirrelMail has all the 
functionality you would want from an email client, including strong MIME
support, address books, and folder manipulation.

II. DESCRIPTION

Squirrel Mail application is vulnerable to Cross Site Request Forgery (CSRF)
vulnerability.

A remote user can perform all the legitimate actions which a normal user can
perform after a logged-in.

This attack is launched because squirrel mail application doesn't have secondary
authentication for actions. That is, application authenticates the request based
on cookie present in it. It does not have any session token which will identify
request as legitimate or not.

Assumption:

* The attacker has knowledge of sites the victim has current authentication on
* The attacker's "target site" has persistent authentication cookies, or the 
victim
  has a current session cookie

III. ANALYSIS

Successful exploitation of this vulnerability would allow an attacker to 
perform all the action
which a legitimate user can do. For example,
1. Send an E-Mail on behalf of victim.
2. Delete an E-Mail from victim's account.
3. Add a new contact into address book.
4. Create a new folder into victim's account.
5. Change the options/settings of victim's account.
6. Sign Out the victim from current session.

IV. DETECTION

Latest version of squirrel mail 1.4.8-4.fc6 and prior are found vulnerable.

V. WORKAROUND

I.  Application should check for Referer Header in every post login request.

II. Application should use CSRF token which is random enough to identify every 
legitimate post login request.

VI. VENDOR RESPONSE
??

VII. CVE INFORMATION
??

VIII. DISCLOSURE TIMELINE

05/02/2007 Initial vendor notification

??/??/??Initial vendor response

??/??/??Coordinated public disclosure

IX. CREDIT

Avinash Shenoi (savinash@xxxxxxxxxx)
Vivek Relan    (vivek@xxxxxxxxxx)
Cenzic Inc.

X. REFERENCES

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1648

XI. LEGAL NOTICES

Copyright © 

Permission is granted for the redistribution of this alert electronically. It 
may not be edited 
in any way without the express written consent of Cenzic. If you wish to 
reprint the whole or 
any part of this alert in any other medium other than electronically, please 
email for permission.

Disclaimer: The information in the advisory is believed to be accurate at the 
time of publishing
based on currently available information. Use of the information constitutes 
acceptance for use 
in an AS IS condition. There are no warranties with regard to this information. 
Neither the author
nor the publisher accepts any liability for any direct, indirect, or 
consequential loss or damage 
arising from use of, or reliance on, this information.