Security

IMAP injection in sqimap_mailbox_select mailbox parameter

Date:

2006-02-15

Description:

By adding newlines to the mailbox parameter of sqimap_mailbox_select, a logged in user can add additional IMAP commands after the command issued by SquirrelMail. The real-world impact of this is unknown.

Affected Versions:

<= 1.4.5

Register Globals:

Register_globals does not have to be on for this issue.

CVE ID(s):

CVE-2006-0377

Patch:

view patch

Credits:

Vicente Aguilera of Internet Security Auditors, S.L.

This page last updated:

2007-07-03 12:58:51