Bugtraqmailing list archives
[ GLSA 200501-39 ] SquirrelMail: Multiple vulnerabilities
From: Sune Kloppenborg Jeppesen <jaervosz () gentoo org>
Date: Fri, 28 Jan 2005 15:46:32 +0100
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Gentoo Linux Security Advisory GLSA 200501-39- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -http://security.gentoo.org/- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: SquirrelMail: Multiple vulnerabilities Date: January 28, 2005 Bugs: #78116 ID: 200501-39- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Synopsis========SquirrelMail fails to properly sanitize user input, which could lead toarbitrary code execution and compromise webmail accounts.Background==========SquirrelMail is a webmail package written in PHP. It supports IMAP andSMTP and can optionally be installed with SQL support.Affected packages================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 mail-client/squirrelmail <= 1.4.3a-r2 >= 1.4.4Description===========SquirrelMail fails to properly sanitize certain strings when decodingspecially-crafted strings, which can lead to PHP file inclusion andXSS.* Insufficient checking of incoming URLs in prefs.php (CAN-2005-0075) and in webmail.php (CAN-2005-0103).* Insufficient escaping of integers in webmail.php (CAN-2005-0104).Impact======By sending a specially-crafted URL, an attacker can execute arbitrarycode from the local system with the permissions of the web server.Furthermore by enticing a user to load a specially-crafted URL, it ispossible to display arbitrary remote web pages in Squirrelmail'sframeset and execute arbitrary scripts running in the context of thevictim's browser. This could lead to a compromise of the user's webmailaccount, cookie theft, etc.Workaround==========The arbitrary code execution is only possible with "register_globals"set to "On". Gentoo ships PHP with "register_globals" set to "Off" bydefault. There are no known workarounds for the other issues at thistime.Resolution==========All SquirrelMail users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=mail-client/squirrelmail-1.4.4"Note: Users with the vhosts USE flag set should manually usewebapp-config to finalize the update.References========== [ 1 ] SquirrelMail Advisoryhttp://sourceforge.net/mailarchive/message.php?msg_id=10628451 [ 2 ] CAN-2005-0075http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0075 [ 3 ] CAN-2005-0103http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0103 [ 4 ] CAN-2005-0104http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0104Availability============This GLSA and any updates to it are available for viewing atthe Gentoo Security Website:http://security.gentoo.org/glsa/glsa-200501-39.xmlConcerns?=========Security is a primary focus of Gentoo Linux and ensuring theconfidentiality and security of our users machines is of utmostimportance to us. Any security concerns should be addressed tosecurity () gentoo org or alternatively, you may file a bug athttp://bugs.gentoo.org.License=======Copyright 2005 Gentoo Foundation, Inc; referenced textbelongs to its owner(s).The contents of this document are licensed under theCreative Commons - Attribution / Share Alike license.http://creativecommons.org/licenses/by-sa/2.0
Attachment:_bin
Description:
Current thread:
- [ GLSA 200501-39 ] SquirrelMail: Multiple vulnerabilitiesSune Kloppenborg Jeppesen (Jan 28)