SquirrelMail  
Donations
News
About
Support
Screen shots
Download
Plugins
Documentation
Sponsors
Bounties













Security Notice
Phishing campain
Version 1.4.15
Security Upgrade

Security

Server-side code injection in map_yp_alias username map

Date:
2009-05-10
Description:
An issue was fixed that allowed arbitrary server-side code execution when SquirrelMail was configured to use the example "map_yp_alias" username mapping functionality.

This functionality is not enabled by default.

The fix in 1.4.18 was incomplete, upgrade to 1.4.19 or use the patch referenced below for full protection.
Affected Versions:
<= 1.4.18
Register Globals:
Register_globals does not have to be on for this issue.
CVE ID(s):
CVE-2009-1579
CVE-2009-1381
Patch:
view patch
Credits:
Niels Teusink
This page last updated:
2009-05-21 19:45:36
© 1999-2010 by The SquirrelMail Project Team