Freedom The Open Source Way Contribute Articles or News to OSForgeOSForge HomeLogout from Forums
Contacting OSForgeOSForge HomeAbout OSForge
  

Root
 Contribute News
 Learning Corner
 Linux Distributions
 Linux Common FAQ's
 Discussion Forums
Community Gallery
Links Directory
Search OSForge
Networking
 Industry Updates
 Linux & Open Source
 Opinions
 Press Release
 Programming
 Security
 Web Development
White Paper
DAKCS Software Systems Introduces Innovative Customer Training Program
Zarafa and ClearCenter Announce ClearOS Integration
Zarafa Brings Browser-Based Enterprise Collaboration Client to CeBIT
Zarafa Catalyses Software Development Collaboration by Launching git.zarafa.com
Zarafa and LPI Partner on Training and Certification Program
Likewise to Grow Seattle-Area Workforce
Likewise CTO: Unleash and Secure Unstructured Data
Likewise Names Leading Open Source Voice as CTO
Launched: Zarafa Collaboration Platform 7.0 and Zarafa Archiver

View More »

Squirrelmail Remote and Local File Inclusion and XSS Vulnerabilities
By : Accidutzu [www] Find more article by Accidutzu on Securit
Sunday the 6th, February 2005 at 11:14 AM (EST)
Send this Story to a Friend Readers TalkBack (0) - 2682 Reads

Printer Friendly Page Printable format
Send this Story to a Friend Foward to Email

SquirrelMail 1.4.4 has been released to resolve a number of security issues. It is strongly recommended that all running SquirrelMail prior to 1.4.4 upgrade to the latest release.

Multiple vulnerabilities have been discovered in SquirrelMail. These vulnerabilities include remote file inclusion, cross site scripting issues and local file inclusion.

DETAILS

Vulnerable Systems:
* Squirrelmail version 1.4.3 and prior

Immune Systems:
* Squirrelmail version 1.4.4 or newer

Remote File Inclusion
Manoel Zaninetti reported an issue in src/webmail.php which would allow a crafted URL to include a remote web page. This was assigned CAN-2005-0103 by the Common Vulnerabilities and Exposures.

Cross Site Scripting Issues
A possible cross site scripting issue exists in src/webmail.php that is only accessible when the PHP installation is running with register_globals set to On. This issue was uncovered internally by the SquirrelMail Development team. This issue was assigned CAN-2005-0104 by the Common Vulnerabilities and Exposures.

A second issue which was resolved in the 1.4.4-rc1 release was uncovered and assigned CAN-2004-1036 by the Common Vulnerabilities and Exposures. This issue could allow a remote user to send a specially crafted header and cause execution of script (such as javascript) in the client browser.

Local File Inclusion
A possible local file inclusion issue was uncovered by one of our developers involving custom preference handlers. This issue is only active if the PHP installation is running with register_globals set to On.

It is strongly suggested that all users running SquirrelMail prior to 1.4.4 upgrade to the latest release. Those using a development release, should upgrade to the latest snapshots to ensure they have the latest updates for these issues. A full list of changes in this, and previous releases can be found here.

For further updates on security issues, details are posted to http://www.squirrelmail.org/security/. Any security issues should be emailed to security@squirrelmail.org.
  
Reader Rating from 1-5

 

Poor very 
1
2
3
4
5 		 very Excellent

Talkback

Post Your Talkback | View All Talkback (0 Posted)

 Currently there are no Talkback posted on "Squirrelmail Remote and Local File Inclusion and XSS Vulnerabilities", Click here to be the first to post a talkback.

 
Scroll Up

   About | Term of Use | Privacy | Contact us | Tell a Friend | Advertise  

 OSForge News RSS Feed