Donations
News
About
Support
Security
Screen shots
Download
Plugins
Documentation
Sponsors
Bounties
Junk Email Filter
|
Security
DoS risk against login page
- Date:
- 2010-07-23
- Description:
- A bug has been identified in SquirrelMail that poses a denial of service risk. The problem exists in SquirrelMail versions up through 1.4.20 wherein an attacker can submit random login attempts with 8-bit characters in the password. This will cause SquirrelMail to temporarily accept the login (further actions will all fail; user is never *actually* logged in) and create a preferences file (if one does not already exist) for the given username. An attacker could continue to use random usernames with the same password until enough preference files are created that the server runs out of hard disk space. We consider this a relatively low-risk problem, but it nevertheless has been fixed in SquirrelMail version 1.4.21.
- Affected Versions:
- <= 1.4.20
- Register Globals:
- Register_globals does not have to be on for this issue.
- CVE ID(s):
- CVE-2010-2813
- Patch:
- view patch
- Credits:
- Mikhail Goriachev
- This page last updated:
- 2010-07-23 09:27:06
|