Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

SquirrelMail Security Advisory

from [Jonathan Angliss] Network Security [Permanent Link]
Subject: SquirrelMail Security Advisory
Date: Fri, 28 Jan 2005 23:09:03 -0600 (CST) 
SquirrelMail Security Advisory
==============================

SquirrelMail 1.4.4 has been released to resolve a number of security
issues disclosed below.  It is strongly recommended that all running
SquirrelMail prior to 1.4.4 upgrade to the latest release.

Remote File Inclusion
---------------------
Manoel Zaninetti reported an issue in src/webmail.php which would allow a
crafted URL to include a remote web page.  This was assigned CAN-2005-0103
by the Common Vulnerabilities and Exposures.

Cross Site Scripting Issues
---------------------------
A possible cross site scripting issue exists in src/webmail.php that is
only accessible when the PHP installation is running with register_globals
set to On.  This issue was uncovered internally by the SquirrelMail
Development team. This isssue was assigned CAN-2005-0104 by the Common
Vulnerabilities and Exposures.

A second issue which was resolved in the 1.4.4-rc1 release was uncovered
and assigned CAN-2004-1036 by the Common Vulnerabilities and Exposures. 
This issue could allow a remote user to send a specially crafted header
and cause execution of script (such as javascript) in the client browser.

Local File Inclusion
--------------------
A possible local file inclusion issue was uncovered by one of our
developers involving custom preference handlers.  This issue is only
active if the PHP installation is running with register_globals set to On.


It is strongly suggested that all users running SquirrelMail prior to
1.4.4 upgrade to the latest release.  Those using a development release,
should upgrade to the latest snapshots to ensure they have the latest
updates for these issues.  A full list of changes in this, and previous
releases can be found here (http://www.squirrelmail.org/changelog.php).

For further updates on security issues, details are posted to
http://www.squirrelmail.org/security/.  Any security issues should be
emailed to security@squirrelmail.org.

We'd like to express thanks for those that have worked with us on getting
security issues resolved with SquirrelMail, and hope that people continue
to do so in such fashion, it is much appreciated.

-- 
Jonathan Angliss
SquirrelMail Development Team
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • SquirrelMail Security Advisory, Jonathan Angliss <=
Previous by Date:  RE: SECURITY.NNOV: Multiple applications fd_set structure bitmap array index overflow, David LeBlanc
Next by Date:  Re: List of all admin accounts in phpBB, Paul Laudanski
Previous by Thread:  [Full-Disclosure] [ GLSA 200501-40 ] ngIRCd: Buffer overflow, Thierry Carrez
Next by Thread:  XSS in Infinite Mobile Delivery v2.6 Webmail, steven
Indexes:  [Date] [Thread] [Top] [All Lists]