osforge.com

SquirrelMail 1.4.4 has been released to resolve a number of security issues. It is strongly recommended that all running SquirrelMail prior to 1.4.4 upgrade to the latest release.

Multiple vulnerabilities have been discovered in SquirrelMail. These vulnerabilities include remote file inclusion, cross site scripting issues and local file inclusion.

DETAILS

Vulnerable Systems:
* Squirrelmail version 1.4.3 and prior

Immune Systems:
* Squirrelmail version 1.4.4 or newer

Remote File Inclusion
Manoel Zaninetti reported an issue in src/webmail.php which would allow a crafted URL to include a remote web page. This was assigned CAN-2005-0103 by the Common Vulnerabilities and Exposures.

Cross Site Scripting Issues
A possible cross site scripting issue exists in src/webmail.php that is only accessible when the PHP installation is running with register_globals set to On. This issue was uncovered internally by the SquirrelMail Development team. This issue was assigned CAN-2005-0104 by the Common Vulnerabilities and Exposures.

A second issue which was resolved in the 1.4.4-rc1 release was uncovered and assigned CAN-2004-1036 by the Common Vulnerabilities and Exposures. This issue could allow a remote user to send a specially crafted header and cause execution of script (such as javascript) in the client browser.

Local File Inclusion
A possible local file inclusion issue was uncovered by one of our developers involving custom preference handlers. This issue is only active if the PHP installation is running with register_globals set to On.

It is strongly suggested that all users running SquirrelMail prior to 1.4.4 upgrade to the latest release. Those using a development release, should upgrade to the latest snapshots to ensure they have the latest updates for these issues. A full list of changes in this, and previous releases can be found here.

For further updates on security issues, details are posted to http://www.squirrelmail.org/security/. Any security issues should be emailed to security@squirrelmail.org.