Two vulnerabilities in SquirrelMail GPG plugin

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Site address: http://www.braverock.com/gpg
SquirrelMail plugin page: http://www.squirrelmail.org/plugin_view.php?id=153

1 issue - Deletion of files writable by web server user

SquirrelMail GPG plugin allows end users to delete or overwrite files
writable by web server user. In default SquirrelMail 1.4.3-1.4.8 setups
end users can delete stored user preferences and address books without
any complex hacks. Default SquirrelMail 1.4.9+ setups and custom rpm or
deb packages are still vulnerable to relative path attacks, because
location of attachment and data directories is known to attacker.

Upstream was notified about vulnerability on 2007-09-24. Patch was
provided on 2007-10-01. I haven't received any response and don't see
fixes in current (2007-12-09) gpg plugin snapshots.

Affected versions: 2.0, 2.0.1 and 2.1
Fix: http://www.topolis.lt/bugtraq/gpg_encrypt.php.diff.gz

2 issue - Unsanitized display of public keys

SquirrelMail GPG plugin does not sanitize imported public key
information. It allows attacker to inject custom html tags in
SquirrelMail message display.

Upstream was notified about vulnerability (with fix) on 2007-10-15. I
haven't received any response and don't see fixes in current
(2007-12-09) gpg plugin snapshots.

Affected versions: 2.0, 2.0.1 and 2.1
Fix: http://www.topolis.lt/bugtraq/gpg_hook_functions.php.diff.gz
POC exploit: http://www.topolis.lt/bugtraq/gpg-unsanitized-js-poc.eml.gz

Tomas Kuliavas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHW+//aYoxl8XwnvYRAjmwAJ0SH7OBb6VRrpmwwY3JY9bmMWN95ACgun5W
JV6Gdv4JD3ngLSXfLYw3poc=
=ajUp
-----END PGP SIGNATURE-----