Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (E-mail Server)  >   SquirrelMail Vendors:   SquirrelMail Development Team
SquirrelMail Include File Bug May Let Remote Users Access Files on the Target System
SecurityTracker Alert ID:  1016209
SecurityTracker URL:
CVE Reference:   CVE-2006-2842   (Links to External Site)
Updated:  Jul 3 2006
Original Entry Date:  Jun 2 2006
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.4.6 and prior versions
Description:   A vulnerability was reported in SquirrelMail. A remote user can include and view files on the target system.

The 'functions/plugin.php' script does not properly validate user-supplied input in the 'name' parameter. If register_globals is enabled and magic_quotes_gpc is disabled, a remote user can supply a specially crafted URL to cause the target system to include files from the target system. This may allow the remote user to view the contents of the file.

A demonstration exploit URL is provided:

http://[target]/[squirrelmail dir]/src/redirect.php?plugins[]=../../../../etc/passwd%00

The vendor credits Junker Broke of Denix Solutions with reporting this vulnerability.

Impact:   A remote user may be able to view files on the target system.
Solution:   The vendor has issued a patch.

The SquirrelMail advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jul 3 2006 (Red Hat Issues Fix) SquirrelMail Include File Bug May Let Remote Users Access Files on the Target System
Red Hat has released a fix for Red Hat Enterprise Linux 3 and 4.

 Source Message Contents

Subject:  Squirrelmail local file inclusion

Squirrelmail local file inclusion bug in functions/plugin.php .

Tested on the latest 1.4.x version.

No authentication needed.

if (isset($plugins) && is_array($plugins)) {

    foreach ($plugins as $name) {




function use_plugin ($name) {

    if (file_exists(SM_PATH . "plugins/$name/setup.php")) {

        include_once(SM_PATH . "plugins/$name/setup.php");

        $function = "squirrelmail_plugin_init_$name";

        if (function_exists($function)) {






If register_globals is on we can control the $name variable.

In order to avoid errors SM_PATH needs to be defined. Exploitation

is done through src/redirect.php ( it includes functions/plugin.php

prior to authentication and it defines SM_PATH ).

magic_quotes_gpc needs to be off.


http://[host]/[squirrelmail dir]/src/redirect.php?plugins[]=../../../../etc/passwd%00

Denix Solutions

Unix/Linux Solutions for your Business


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC