SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   SquirrelMail Vendors:   SquirrelMail Development Team
SquirrelMail Input Validation Flaw in 'abook_database.php' May Let Remote Users Inject SQL Commands
SecurityTracker Alert ID:  1010842
SecurityTracker URL:  http://securitytracker.com/id/1010842
CVE Reference:   CVE-2004-0521   (Links to External Site)
Date:  Aug 3 2004
Impact:   Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.4.2 and prior versions
Description:   An input validation vulnerability was reported in SquirrelMail. A remote user may be able to execute SQL statements on the target system.

It is reported that when SquirrelMail is configured to store user address books in the database, a remote attacker can exploit a flaw to execute arbitrary SQL statements.

The flaw resides in 'abook_database.php' where the $alias variable is not properly filtered.

Impact:   A remote user can inject SQL commands to be executed by the underlying database.
Solution:   The vendor has released a fixed version (1.4.3 RC1 and later versions), available at:

http://www.squirrelmail.org/download.php

Vendor URL:  www.squirrelmail.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 3 2004 (Debian Issues Fix) SquirrelMail Input Validation Flaw in 'abook_database.php' May Let Remote Users Inject SQL Commands
Debian has released a fix.
Sep 8 2004 (Apple Issues Fix) SquirrelMail Input Validation Flaw in 'abook_database.php' May Let Remote Users Inject SQL Commands
Apple has released a fix for Mac OS X.
Oct 2 2004 (Fedora Issues Fix for RH Linux) SquirrelMail Input Validation Flaw in 'abook_database.php' May Let Remote Users Inject SQL Commands
Fedora has released a fix for Red Hat Linux 9.
Dec 30 2004 (Conectiva Issues Fix) SquirrelMail Input Validation Flaw in 'abook_database.php' May Let Remote Users Inject SQL Commands
Conectiva has released a fix.



 Source Message Contents

Subject:  [SM-CVS] CVS: squirrelmail/functions abook_database.php,1.15.2.1,1.15.2.2


Update of /cvsroot/squirrelmail/squirrelmail/functions
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv12078

Modified Files:
       Tag: SM-1_4-STABLE
	abook_database.php
Log Message:
SQL injection fix. This is serious I think.


Index: abook_database.php
===================================================================
RCS file: /cvsroot/squirrelmail/squirrelmail/functions/abook_database.php,v
retrieving revision 1.15.2.1
retrieving revision 1.15.2.2
diff -u -w -r1.15.2.1 -r1.15.2.2
--- abook_database.php	24 Feb 2004 15:57:14 -0000	1.15.2.1
+++ abook_database.php	27 Apr 2004 19:20:18 -0000	1.15.2.2
@@ -163,7 +163,7 @@
          }

          $query = sprintf("SELECT * FROM %s WHERE owner='%s' AND nickname='%s'",
-                         $this->table, $this->owner, $alias);
+                         $this->table, $this->owner, $this->dbh->quoteString($alias));

          $res = $this->dbh->query($query);




-------------------------------------------------------
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
--
squirrelmail-cvs mailing list
List Address: squirrelmail-cvs@lists.sourceforge.net
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-cvs
http://squirrelmail.org/cvs

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC