Friday, December 17, 2004

SquirrelMail!

I do not aspire to be a security analyst for web-based media, but I couldn't help the hordes of security holes that I come across very often in different sites. Take, for example, the SquirrelMail server. It takes the username and password fields, and sends them over the connection for the server side script in absolutely unencrypted form! I can see my browser going to the redirected site with my username and password displayed in the address bar!! Phew! We had decided to deploy the SquirrelMail server for the university email access, stripping off Microsoft Exchange Server. But looks so unless a correct patch is available, we have to stop the deployment of SquirrelMail. I notified the Incharge via the mail. The mail is reproduced here (although with some modifications to protect the privacy of those involved): Subject: [Webmasters] Security Hole! From: "S2114" Date: Fri, December 17, 2004 1:57 pm To: "Ayaz Ahmed" Sir, The FAST-NU site has been revamped, and revamped for good. The previousWebmasters had decided to do away with the Microsoft Exchange Server and instead bring in the Squirrel Mail Server. The Squirrel Mail had the advantage that it was open source and we could do away with any changes we might have wanted. But recently I found that SquirrelMail has not a secure mode of transmission as it utilizes JavaScript.The problem is that it detects the text in the username and password fields and sends it over the connection absolutely unencrypted for the server side script to work on. Infact, if you look at the address bar of your Explorer while this is signing in, you can see your user ID and password being displayed for the redirection connection to be estabilished. All in unencrypted form. So there is even no need for a packet-capture program like Ethereal to be utilized. Here is what I found on my system: [When Redirecting] http://superway/webmail/src/redirect.php?js_autodetect_results=0&login_username=s2114&secretkey=pa13pc And when I captured the packet (just for fun!) I found the following results: GET http://superway/webmail/src/redirect.php?js_autodetect_results=0&login_username=s2114&secretkey=p3apc HTTP/1.0 --Much output omitted-- Host: superway Cookie: squirrelmail_language=en_US; SQMSESSID=l48f8uu4rh9h0aj0dvoo9besd3 Here is the response: HTTP/1.1 200 OK Via: 1.1 SERVER5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Date: Fri, 17 Dec 2004 13:31:27 GMT Content-Type: text/html; charset=iso-8859-1 Server: Microsoft-IIS/5.0 X-Powered-By: PHP/5.0.2 Set-Cookie: SQMSESSID=l48f8uu4rh9h0aj0dvoo9besd3; path=/ Set-Cookie: key=%2Fpi95TId; path=/webmail/ Keeping in the spirit of security tradition I have not yet discussed it with the other members of the Webmasters. I had tried to access the SquirrelMail web site but it seems to be down. So would you suggest using any other open source email program that can be deployed on our servers, or a patch or something that can be installed for this security hole. We have to act quickly before the mainstream people find it out. The new FAST-NU site features the SquirrelMail email server. Regards Look there! There goes my password for all to see! Lets see what our esteemed Faculty Incharge has to say about it. Nobody knows about it yet! And I am not gonna tell anyone! ;)

No comments: