Open Source Forge - www.osforge.com [ Squirrelmail Remote and Local File Inclusion and XSS Vulnerabilities ]

Root
Contribute News
Learning Corner
Linux Distributions
Linux Common FAQ's
Discussion Forums
Community Gallery
Links Directory
Search OSForge

Networking
Industry Updates
Linux & Open Source
Opinions
Press Release
Programming
Security
Web Development
White Paper

Likewise Names Leading Open Source Voice as CTO

Launched: Zarafa Collaboration Platform 7.0 and Zarafa Archiver

Zarafa Shows User Driven Innovation at Fifth SummerCamp Anniversary

Userful Corporation Named to Everything Channel’s CRN Virtualization 100 List

Zarafa Joins Microsoft with Advanced Outlook 2010 Compatibility

Zarafa and Mandriva Partner to Deliver Integrated Enterprise Solutions

CustomTech Teams with European Exchange Alternative “Zarafa”

Likewise Cross-Platform Integration Software Hits 100,000 Users

Cloud.com Releases New Version of CloudStack

View More �

Squirrelmail Remote and Local File Inclusion and XSS Vulnerabilities

By : Accidutzu [www]

on Securit
Sunday the 6th, February 2005 at 11:14 AM (EST)

Readers TalkBack (0) - 2486 Reads

Printable format
Foward to Email

SquirrelMail 1.4.4 has been released to resolve a number of security issues. It is strongly recommended that all running SquirrelMail prior to 1.4.4 upgrade to the latest release.

Multiple vulnerabilities have been discovered in SquirrelMail. These vulnerabilities include remote file inclusion, cross site scripting issues and local file inclusion.

DETAILS

Vulnerable Systems:
* Squirrelmail version 1.4.3 and prior

Immune Systems:
* Squirrelmail version 1.4.4 or newer

Remote File Inclusion
Manoel Zaninetti reported an issue in src/webmail.php which would allow a crafted URL to include a remote web page. This was assigned CAN-2005-0103 by the Common Vulnerabilities and Exposures.

Cross Site Scripting Issues
A possible cross site scripting issue exists in src/webmail.php that is only accessible when the PHP installation is running with register_globals set to On. This issue was uncovered internally by the SquirrelMail Development team. This issue was assigned CAN-2005-0104 by the Common Vulnerabilities and Exposures.

A second issue which was resolved in the 1.4.4-rc1 release was uncovered and assigned CAN-2004-1036 by the Common Vulnerabilities and Exposures. This issue could allow a remote user to send a specially crafted header and cause execution of script (such as javascript) in the client browser.

Local File Inclusion
A possible local file inclusion issue was uncovered by one of our developers involving custom preference handlers. This issue is only active if the PHP installation is running with register_globals set to On.

It is strongly suggested that all users running SquirrelMail prior to 1.4.4 upgrade to the latest release. Those using a development release, should upgrade to the latest snapshots to ensure they have the latest updates for these issues. A full list of changes in this, and previous releases can be found here.

For further updates on security issues, details are posted to http://www.squirrelmail.org/security/. Any security issues should be emailed to security@squirrelmail.org.

Reader Rating from 1-5

Talkback

Post Your Talkback | View All Talkback (0 Posted)

Currently there are no Talkback posted on "Squirrelmail Remote and Local File Inclusion and XSS Vulnerabilities", Click here to be the first to post a talkback.


About \| Term of Use \| Privacy \| Contact us \| Tell a Friend \| Advertise	OSForge News RSS Feed