Server-side code injection in map_yp_alias username map
- An issue was fixed that allowed arbitrary server-side code execution when SquirrelMail was configured to use the example "map_yp_alias" username mapping functionality.
This functionality is not enabled by default.
The fix in 1.4.18 was incomplete, upgrade to 1.4.19 or use the patch referenced below for full protection.
- Affected Versions:
- <= 1.4.18
- Register Globals:
- Register_globals does not have to be on for this issue.
- CVE ID(s):
- view patch
- Niels Teusink
- This page last updated:
- 2009-05-21 19:45:36