Freedom The Open Source Way Contribute Articles or News to OSForgeOSForge HomeLogout from Forums
Contacting OSForgeOSForge HomeAbout OSForge
  

Root
 Contribute News
 Learning Corner
 Linux Distributions
 Linux Common FAQ's
 Discussion Forums
Community Gallery
Links Directory
Search OSForge
Networking
 Industry Updates
 Linux & Open Source
 Opinions
 Press Release
 Programming
 Security
 Web Development
White Paper
Plat'Home Launches First Linux-based Eco-Friendly Servers In United States
World’s Largest Python Conference Sees 70 Percent Jump in Attendance
Leading SaaS Infrastructure Provider Deploys Zenoss to Improve Uptime and Reduce Cost
JasperSoft is Most Widely-Deployed Business Intelligence Software in the World
Cluster Resources to Showcase Adaptive Windows/Linux Cluster at BrainShare
Funambol Helps New AGPLv3 Open Source License Gain Formal OSI Approval
Zenoss Sponsors PyCon 2008 and Leads Application Monitoring Discussion
The Linux Foundation Reveals Speaker Line-up for 2nd Annual Collaboration Summit
Zenoss Core Named 2008 CODiE Awards Finalist for Best Open Source Solution

View More »

Squirrelmail Remote and Local File Inclusion and XSS Vulnerabilities
By : Accidutzu [www] Find more article by Accidutzu on Security
Sunday the 6th, February 2005 at 11:14 AM (CST)
Send this Story to a Friend Readers TalkBack (0) - 1174 Reads

Printer Friendly Page Printable format
Send this Story to a Friend Foward to Email

SquirrelMail 1.4.4 has been released to resolve a number of security issues. It is strongly recommended that all running SquirrelMail prior to 1.4.4 upgrade to the latest release.

Multiple vulnerabilities have been discovered in SquirrelMail. These vulnerabilities include remote file inclusion, cross site scripting issues and local file inclusion.

DETAILS

Vulnerable Systems:
* Squirrelmail version 1.4.3 and prior

Immune Systems:
* Squirrelmail version 1.4.4 or newer

Remote File Inclusion
Manoel Zaninetti reported an issue in src/webmail.php which would allow a crafted URL to include a remote web page. This was assigned CAN-2005-0103 by the Common Vulnerabilities and Exposures.

Cross Site Scripting Issues
A possible cross site scripting issue exists in src/webmail.php that is only accessible when the PHP installation is running with register_globals set to On. This issue was uncovered internally by the SquirrelMail Development team. This issue was assigned CAN-2005-0104 by the Common Vulnerabilities and Exposures.

A second issue which was resolved in the 1.4.4-rc1 release was uncovered and assigned CAN-2004-1036 by the Common Vulnerabilities and Exposures. This issue could allow a remote user to send a specially crafted header and cause execution of script (such as javascript) in the client browser.

Local File Inclusion
A possible local file inclusion issue was uncovered by one of our developers involving custom preference handlers. This issue is only active if the PHP installation is running with register_globals set to On.

It is strongly suggested that all users running SquirrelMail prior to 1.4.4 upgrade to the latest release. Those using a development release, should upgrade to the latest snapshots to ensure they have the latest updates for these issues. A full list of changes in this, and previous releases can be found here.

For further updates on security issues, details are posted to http://www.squirrelmail.org/security/. Any security issues should be emailed to security@squirrelmail.org.
  
Reader Rating from 1-5

 

Poor very 
1
2
3
4
5 		 very Excellent

Talkback

Post Your Talkback | View All Talkback (0 Posted)

 Currently there are no Talkback posted on "Squirrelmail Remote and Local File Inclusion and XSS Vulnerabilities", Click here to be the first to post a talkback.

 
Scroll Up

   About | Term of Use | Privacy | Contact us | Tell a Friend | Advertise  

 OSForge News RSS Feed