The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SquirrelMail Three Vulnerabilities

Discussion in 'E-mail Discussions' started by projectandrew, Jan 24, 2005.

  1. projectandrew

    projectandrew Well-Known Member

    Joined:
    Aug 27, 2003
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    United Kingdom
    SquirrelMail Three Vulnerabilities
    http://secunia.com/advisories/13962/

    Description:
    Three vulnerabilities have been reported in SquirrelMail, which can be exploited by malicious people to gain knowledge of sensitive information or conduct cross-site scripting attacks.

    1) Insufficient sanitation of integer variables in webmail.php can be exploited to include arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site.

    The vulnerability affects versions 1.4.0-RC1 through 1.4.4-RC1.

    2) Insufficient validation of incoming URL vars in webmail.php can be exploited to include arbitrary web pages in the SquirrelMail frameset.

    The vulnerability affects versions 1.4.0-RC1 through 1.4.4-RC1.

    3) An error in prefs.php can be exploited to include arbitrary code from local resources via a specially crafted URL.

    Successful exploitation requires that register_globals is set to "On".

    The vulnerability affects versions 1.4.3-RC1 through 1.4.4-RC1.

    Solution:
    Update to version 1.4.4.
    http://www.squirrelmail.org/download.php

    Provided and/or discovered by:
    1) Reported by vendor.
    2) Manoel Zaninetti
    3) Jimmy Conner

    Original Advisory:
    http://www.squirrelmail.org/security/issue/2005-01-20
    http://www.squirrelmail.org/security/issue/2005-01-19
    http://www.squirrelmail.org/security/issue/2005-01-14


    I have updated my HOW-TO on upgrading to SquirrelMail 1.4.4:

    HOW-TO: Upgrade to SquirrelMail 1.4.4 on cPanel
    http://www.unofficial-support.com/article/how-to/upgrade_squirrelmail_cpanel
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
  3. projectandrew

    projectandrew Well-Known Member

    Joined:
    Aug 27, 2003
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    United Kingdom
Loading...

Share This Page