--On June 1, 2006 12:50:15 AM +0000 brokejunker (at) yahoo (dot) com [email concealed] wrote:

> Squirrelmail local file inclusion bug in functions/plugin.php .
> Tested on the latest 1.4.x version.
> No authentication needed.
>
> if (isset($plugins) && is_array($plugins)) {
> foreach ($plugins as $name) {
> use_plugin($name);
> }
> ...
> function use_plugin ($name) {
> if (file_exists(SM_PATH . "plugins/$name/setup.php")) {
> include_once(SM_PATH . "plugins/$name/setup.php");
> $function = "squirrelmail_plugin_init_$name";
> if (function_exists($function)) {
> $function();
> }
> }
> }
> ....
>
> If register_globals is on we can control the $name variable.
>
This is the second "bug" I've seen in the past week that requires
register_globals to be on. Yet register_globals has been off by default
for the past four years. <http://us2.php.net/ChangeLog-4.php#4.2.0>

The developers of PHP specifically address its use and warn against it
unless you know what you're doing. <http://us2.php.net/register_globals>

Squirrelmail even warns specifically against using register_globals = on
and checks for it when installing.

grep register_globals /usr/local/share/doc/squirrelmail/*
/usr/local/share/doc/squirrelmail/ChangeLog: - Added PHP register_globals
check to configuration test utility.
/usr/local/share/doc/squirrelmail/ChangeLog: - Fixed use of
squirrelmail_language cookie with PHP register_globals =
/usr/local/share/doc/squirrelmail/ChangeLog: - Prefs caching didn't work
properly with register_globals off (#995102).
/usr/local/share/doc/squirrelmail/ChangeLog: by register_globals = off.
/usr/local/share/doc/squirrelmail/ChangeLog: - This release is compatible
with installations that have register_globals set to off.
/usr/local/share/doc/squirrelmail/INSTALL: It is highly advised to NOT
turn on register_globals, as this can lead
/usr/local/share/doc/squirrelmail/INSTALL: to security holes. If you must
use register_globals for some applications,
/usr/local/share/doc/squirrelmail/security.txt:- PHP configuration. It's
very important to turn register_globals OFF.
/usr/local/share/doc/squirrelmail/security.txt: could only be exploited
when register_globals was set to on. If you
/usr/local/share/doc/squirrelmail/security.txt: need register_globals for
other web applications, turn it on specifically

Yet know we're getting "security advisories" warning, hey, if you change
the defaults and ignore all the warnings, you too can write insecure code!

Is human stupidity a software bug?

Paul Schmehl (pauls (at) utdallas (dot) edu [email concealed])
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
0?ì *?H?÷

 ?Ý0?Ù

10 +0 *?H?÷


 ?Z0?s0?Ü 
!Cl6²V³h­?pú0
 *?H?÷


0ê1'0%U
The University of Texas System10UVeriSign Trust Network1;09U2Terms of use at https://www.verisign.com/rpa (c)991200U)Class 2 CA - OnSite Individual Subscriber1-0+U$The University of Texas at Dallas CA0
050810000000Z
060810235959Z0ô1'0%U
The University of Texas System1-0+U$The University of Texas at Dallas CA1F0DU=www.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)9910UMail Stop - UTD10UPaul Schmehl1!0 *?H?÷


pauls (at) utdallas (dot) edu0 [email concealed]?0
 *?H?÷



0?Ä¡æ?9"S,/èâD¸'ɺLsÚXï3a»
?ÂÀ?+±ga,Ó?P$ñX^ù$ã?¡X?'ÈlÖ?úVç^ÚÅ?ÆÅïPN²3Jyfy­(ÅK®ûRTØ????P&8 ½z
¥Æ«¸??=ùÃu[§Þî?X®}ìS)$-|öI

£?0?0 U00U0pauls (at) utdallas (dot) edu0 [email concealed]?
$U ?
0?
0?
`?H
?øE

0?
0++

https://www.verisign.com/rpa-
kr0Ò+
0ÅÂNOTICE: Private key may be recovered by VeriSign's customer who may be able to decrypt messages you send to certificate holder. Use is subject to terms at https://www.verisign.com/rpa-kr (c)99.0 `?H
?øB

?0uUn0l0j h f?dhttp://onsitecrl.verisign.com/TheUnive
rsityofTexasSystemTheUniversityofTexasatDallasCA/LatestCRL.crl0U
?0U%0+
+
0
 *?H?÷


AØ: ³+Æü6?'â*Q?
VËD"??mÂrJ´
_û$P?o:¼LP?È*$ªøÉUÄ¿f?É´ï՝?±ýºçY2ÝB6óÁ×ÎNøßÜÛ¾i?̶f:Ü
Ó?¡×ö÷S??ìÅa1ÌÑB{S~?q¡hUN©?l0?Ø0?A 
Aì=§?ÄöÕÝÑe0
 *?H?÷


0Á10 UUS10U
VeriSign, Inc.1<0:U3Class 2 Public Primary Certification Authority - G21:08U1(c) 1998 VeriSign, Inc. - For authorized use only10UVeriSign Trust Network0
990331000000Z
090330235959Z0ê1'0%U
The University of Texas System10UVeriSign Trust Network1;09U2Terms of use at https://www.verisign.com/rpa (c)991200U)Class 2 CA - OnSite Individual Subscriber1-0+U$The University of Texas at Dallas CA0?0
 *?H?÷



0?¿êï?ë
Áù"ÁÑÁÌÛzÚ¾6Òp`0`åàS/5ôɨ)ÖÞ=ó?d}¾Ñ?Tx?ÿ¢xñû?«Ãü?LÂIA
áÀÒ¥×ü~ÿBQNtó
Õhs¥]1øæ)%c¨#?Dj?°9ñïÛFXú¸ÏKózÁ¢I??#Cº?2?

£¥0¢0
)U"0 ¤010UPrivateLabel1-1400 `?H
?øB


0DU =0;09`?H
?øE


0*0(+

https://www.verisign.com/RPA0U
0

ÿ
0U
0
 *?H?÷


S µÜ²¶?Ñ P?É8yÜȲI¿¸S?o?̲äz|ü£è_a^_??ZÒ?
"ñ¼íñT¶T¦T¡T¼iÇ!7¢?9?§¬ ?è?]?
H9Y?$ C¼??Ü?táæã¾j¤?11#%?¯º,Q?Y¦£?Ò´ÎT0?0?l¹/`Ì??¡zF ¸[pl?¯0
 *?H?÷


0Á10 UUS10U
VeriSign, Inc.1<0:U3Class 2 Public Primary Certification Authority - G21:08U1(c) 1998 VeriSign, Inc. - For authorized use only10UVeriSign Trust Network0
980518000000Z
280801235959Z0Á10 UUS10U
VeriSign, Inc.1<0:U3Class 2 Public Primary Certification Authority - G21:08U1(c) 1998 VeriSign, Inc. - For authorized use only10UVeriSign Trust Network0?0
 *?H?÷



0?§?
!t,çð?á?<!ñ?Û?é?ü¾_RÈÌ,V,¸
i,Ì?­°?®yò9Á{?º
,èÂ?,ªié ôÇ©¤BÂ#OJØð¢û1lÉæo?'õæôLx?mëF?ú¹?ÉTò²Ä¯ÔFZÉ0ÿ
lõ-mÎw

0
 *?H?÷


r.ùÑñqûÄ?öÅ^Q?@?¸hø??Ø❽ÿí¡æfê/ ôÊ×ê¥+?ö$`?MD.?¥Ä- Ó®xiorÚl®ðc?7æ»Ä0­wÌI5ªÏ؏Ѿ·?GsjT"4d-¶?Y[´QY:³
ôßg ô­2d^±Fr'?{ÅD´®1?Z0?V

0ÿ0ê1'0%U
The University of Texas System10UVeriSign Trust Network1;09U2Terms of use at https://www.verisign.com/rpa (c)991200U)Class 2 CA - OnSite Individual Subscriber1-0+U$The University of Texas at Dallas CA!Cl6²V³h­?pú0 + ±0 *?H?÷

1 *?H?÷


0 *?H?÷

1
060602042102Z0# *?H?÷

1§ú¿?ýfTx´<?Ê©´ÞÉÝ0R *?H?÷

1E0C0
*?H?÷
0*?H?÷
?0
*?H?÷

@0+0
*?H?÷

(0
 *?H?÷



??±î?+Ê¢?°]Ü"xæ%¬±0?¨³¿Î§c8S3ȐLÚ`°Ír?
SîØéÖ)¢a("u¸CʳX§#UlËo¬ ÝÀ'Ù ÎÆý4;%k?3'­5£Þ@\¨VQ2ä7Éå±±¢Cô#yÜL#L?/X*e?C3ïÙePÉOm

[ reply ]