Hello all, > up until the first nul byte. I see that the plugins[] array is actually > never reset in the squirrelmail source or configuration, allowing for > this kind of things.
Right, I agree that the bug exists; it has been discussed on the upstream [EMAIL PROTECTED] list but I appearently missed out to follow up to Debian. However, I doubt the criticality of the issue. It is only exploitable with register_globals (rg) set to On. As you might know: - the Debian 'squirrelmail' Apache configuration ships with rg disabled; - the Debian 'php4' configuration ships with rg disabled; - it is well known and well documented that enabling register_globals is a security risk. Therefore, someone who overrides both the PHP and SquirrelMail default configuration for this setting, while there is no need at all to do so, is willingly opening up security risks. Running with register_globals on not supported with upstream SquirrelMail and heavily discouraged (?) with PHP. Of course the bug will be fixed, but for this reason I don't think we should rush out an advisory or leave this bug to be of serious severity. I value input on this matter from the security team. regards, Thijs
signature.asc
Description: This is a digitally signed message part
