David Rees zei: > I verified the exploits on 1.2.11. They don't appear to work on 1.4.0: > > http://www.securityfocus.com/bid/7952/exploit/ > > Looks bad! > > -Dave
Depends of the definition of bad. Why does a user wants to delete his own mailbox by modifying the uri ??? If the user does that he/she operates on his/her own mailboxes and is probably perfectly aware of what's he/she is doing. It's much easier to go to the folderpage and do the delete through the UI :) It's a pseudo vulnarability IMHO. When you want to access move_messages you still need a valid login => a cookie with a key to authenticate against imap. Regards, Marc Groot Koerkamp > > Brian G. Peterson said: >> I saw this in the linux rollup of the weekly Bugtraq messages. I >> thought someone should check it out and respond, as well as making sure >> that SM 1.4.0 and the STABLE and DEVEL branches are not affected. >> >> I looked though my bugtraq archive, and searched online, and can't find >> this bugtraq message at all. Is this a re-hash of the stuff that was >> reported on Bugtraq in March/April? >> >> More information about this is available at the URL below. >> >> - Brian Peterson >> >> --- Relevant portions here: --- >> 21. Squirrelmail Multiple Remote Vulnerabilities >> BugTraq ID: 7952 >> Remote: Yes >> Date Published: Jun 17 2003 12:00AM >> Relevant URL: >> http://www.securityfocus.com/bid/7952 >> Summary: >> >> SquirrelMail is a webmail program implemented in the PHP4 language. It >> is available for Linux and Unix based operating systems. >> >> Multiple vulnerabilities have been reported for SquirrelMail PHP scripts >> which could be exploited to carry out a variety of attacks. Successful >> exploitation could result in a wide variety of circumstances including >> data corruption, information disclosure, and privilege escalation. >> >> These vulnerabilities were reported for SquirellMail 1.2.11, however, >> earlier versions may also be affected. >> >> It should be noted that as further analysis is carried out on these >> vulnerabilities, each issue will be given their own individual Bugtraq >> ID. At that time, this BID will be retired. > > > > > > > ------------------------------------------------------- > This SF.Net email is sponsored by: INetU > Attention Web Developers & Consultants: Become An INetU Hosting Partner. > Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! > INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php > -- > squirrelmail-devel mailing list > List Address: [EMAIL PROTECTED] > List Archives: http://sourceforge.net/mailarchive/forum.php?forum_idq39 > List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel > ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php -- squirrelmail-users mailing list List Address: [EMAIL PROTECTED] List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id)95 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
