Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SquirrelMail Three Vulnerabilities

Discussion in 'E-mail Discussion' started by projectandrew, Jan 24, 2005.

  1. projectandrew

    projectandrew Well-Known Member

    Joined:
    Aug 27, 2003
    Messages:
    184
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    United Kingdom
    SquirrelMail Three Vulnerabilities
    http://secunia.com/advisories/13962/

    Description:
    Three vulnerabilities have been reported in SquirrelMail, which can be exploited by malicious people to gain knowledge of sensitive information or conduct cross-site scripting attacks.

    1) Insufficient sanitation of integer variables in webmail.php can be exploited to include arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site.

    The vulnerability affects versions 1.4.0-RC1 through 1.4.4-RC1.

    2) Insufficient validation of incoming URL vars in webmail.php can be exploited to include arbitrary web pages in the SquirrelMail frameset.

    The vulnerability affects versions 1.4.0-RC1 through 1.4.4-RC1.

    3) An error in prefs.php can be exploited to include arbitrary code from local resources via a specially crafted URL.

    Successful exploitation requires that register_globals is set to "On".

    The vulnerability affects versions 1.4.3-RC1 through 1.4.4-RC1.

    Solution:
    Update to version 1.4.4.
    http://www.squirrelmail.org/download.php

    Provided and/or discovered by:
    1) Reported by vendor.
    2) Manoel Zaninetti
    3) Jimmy Conner

    Original Advisory:
    http://www.squirrelmail.org/security/issue/2005-01-20
    http://www.squirrelmail.org/security/issue/2005-01-19
    http://www.squirrelmail.org/security/issue/2005-01-14


    I have updated my HOW-TO on upgrading to SquirrelMail 1.4.4:

    HOW-TO: Upgrade to SquirrelMail 1.4.4 on cPanel
    http://www.unofficial-support.com/article/how-to/upgrade_squirrelmail_cpanel
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    21
    Trophy Points:
    463
    Location:
    Go on, have a guess
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. projectandrew

    projectandrew Well-Known Member

    Joined:
    Aug 27, 2003
    Messages:
    184
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    United Kingdom
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice