SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   SquirrelMail Vendors:   SquirrelMail Development Team
SquirrelMail 'compose.php' Lets Remote Authenticated Users Overwrite Variables
SecurityTracker Alert ID:  1016689
SecurityTracker URL:  http://securitytracker.com/id/1016689
CVE Reference:   CVE-2006-4019   (Links to External Site)
Date:  Aug 12 2006
Impact:   Disclosure of user information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 1.4.8
Description:   A vulnerability was reported in SquirrelMail. A remote authenticated user can overwrite certain variables.

A remote authenticated user can invoke 'compose.php' and specify arbitrary values for arbitrary parameters, regardless of the register_globals setting. This may allow the user to read or overwrite a target user's preference file or attachments.

The vendor credits James Bercegay of GulfTech Security Research with discovering this vulnerability.

Impact:   A remote authenticated user may be able to read or overwrite a target user's preference file or attachments.
Solution:   The vendor has issued a fixed version (1.4.8), available at:

http://www.squirrelmail.org/download.php

Some patches are also available:

http://www.squirrelmail.org/patches/sqm1.4.7-expired-post-fix-minimal.patch
http://www.squirrelmail.org/patches/sqm1.4.7-expired-post-fix-full.patch

The Squirrelmail advisory is available at:

http://www.squirrelmail.org/security/issue/2006-08-11

Vendor URL:  www.squirrelmail.org/security/issue/2006-08-11 (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Sep 26 2006 (Red Hat Issues Fix) SquirrelMail 'compose.php' Lets Remote Authenticated Users Overwrite Variables
Red Hat has released a fix for Red Hat Enterprise Linux 3 and 4.



 Source Message Contents

Subject:  SquirrelMail 1.4.8 released - fixes variable overwriting attack


--=-nGy5JkayNIZQl6uiVN5T
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Hello all,

Today SquirrelMail version 1.4.8 has been released with a collection of
bugfixes and an important security fix. It was possible for an
authenticated user to overwrite random variables in the compose.php
script. This may open up possible attack vectors like reading or
overwriting a user's preference file or attachments.

We advise all current SquirrelMail users to upgrade. There's also a
patch available against 1.4.7. The interesting thing is that the
function that contained the flaw was actually broken. The function is
used to resume a compose session of a user that is confronted with a
session timeout after composing a long mail. We've got two patches
available: a minimal one which just removes the code, since it was
broken anyway, and a full version that repairs the functionality and
closes the hole.

SquirrelMail can be downloaded here:
http://www.squirrelmail.org/download.php
The patches can be found here:
http://www.squirrelmail.org/patches/sqm1.4.7-expired-post-fix-minimal.patch
http://www.squirrelmail.org/patches/sqm1.4.7-expired-post-fix-full.patch
They also apply against the current development version.

We'd like to thank James Bercegay of GulfTech Security Research for
finding this issue and reporting it to us.


Happy SquirrelMailing!


Thijs Kinkhorst
on behalf of the SquirrelMail team

--=-nGy5JkayNIZQl6uiVN5T
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQBE3HdhJdKMxZV9WM8RAlvUAJ4hsYD0MIzzn0E2NzkzrfQl1Bj+qQCgrUFp
/YKnQWSOcO+9qxQ4c1LVOjI=
=CBpv
-----END PGP SIGNATURE-----

--=-nGy5JkayNIZQl6uiVN5T--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC