Squirrelmail Remote and Local File Inclusion and XSS Vulnerabilities
| SquirrelMail 1.4.4 has been released to resolve a number of security issues. It is strongly recommended that all running
SquirrelMail prior to 1.4.4 upgrade to the latest release. |
Multiple vulnerabilities have been discovered in SquirrelMail. These
vulnerabilities include remote file inclusion, cross site scripting
issues
and local file inclusion.
DETAILS
Vulnerable Systems:
* Squirrelmail version 1.4.3 and prior
Immune Systems:
* Squirrelmail version 1.4.4 or newer
Remote File Inclusion
Manoel Zaninetti reported an issue in src/webmail.php which would allow
a
crafted URL to include a remote web page. This was assigned
CAN-2005-0103 by the Common Vulnerabilities and Exposures.
Cross Site Scripting Issues
A possible cross site scripting issue exists in src/webmail.php that is
only accessible when the PHP installation is running with
register_globals
set to On. This issue was uncovered internally by the SquirrelMail
Development team. This issue was assigned
CAN-2005-0104 by the Common Vulnerabilities and Exposures.
A second issue which was resolved in the 1.4.4-rc1 release was
uncovered
and assigned
CAN-2004-1036 by the Common Vulnerabilities and Exposures. This issue
could allow a remote user to send a specially crafted header and cause
execution of script (such as javascript) in the client browser.
Local File Inclusion
A possible local file inclusion issue was uncovered by one of our
developers involving custom preference handlers. This issue is only
active if the PHP installation is running with register_globals set to
On.
It is strongly suggested that all users running SquirrelMail prior to
1.4.4 upgrade to the latest release. Those using a development
release,
should upgrade to the latest snapshots to ensure they have the latest
updates for these issues. A full list of changes in this, and previous
releases can be found here.
For further updates on security issues, details are posted to
http://www.squirrelmail.org/security/. Any security issues should be
emailed to security@squirrelmail.org.
| | |
|
|
Currently there are no Talkback posted on "Squirrelmail Remote and Local File Inclusion and XSS Vulnerabilities", Click here to be the first to post a talkback.
|
|
|
|   |