SquirrelMail  
Donations
News
About
Support
Screen shots
Download
Plugins
Documentation
Sponsors
Bounties













Security Notice
Phishing campain
Version 1.4.15
Security Upgrade

Security

$_POST variable handling in options_identites allows for different attacks

Date:
2005-07-13
Description:
An extract($_POST) was done in options_identities.php which allowed for an attacker to set random variables in that file. This could lead to the reading (and possible writing) of other people's preferences, cross site scripting or writing files in webserver-writable locations.
Affected Versions:
<= 1.4.5-RC1
Register Globals:
This requires the PHP register_globals setting to be On, a setting both PHP and SquirrelMail highly discourage.
CVE ID(s):
CVE-2005-2095
Patch:
view patch
Credits:
Thanks James Bercegay of GulfTech Security for finding this issue.
This page last updated:
2006-07-09 15:52:56
© 1999-2010 by The SquirrelMail Project Team