![]() The mail message display page in SquirrelMail through 1.4.22 has XSS via a " Personal Informations > Email Address" setting.Ĭross-site request forgery (CSRF) vulnerability in compose.php in SquirrelMail 1.4.0 through 1.4.9a allows remote attackers to send e-mails from arbitrary users via certain data in the SRC attribute of an IMG element. ![]() NOTE: the vendor disputes this because these two conditions for PHP object injection are not satisfied: existence of a PHP magic method (such as _wakeup or _destruct), and any attack-relevant classes must be declared before unserialize is called (or must be autoloaded).Ĭompose.php in SquirrelMail 1.4.22 calls unserialize for the $mailtodata value, which originates from an HTTP GET request. ** DISPUTED ** compose.php in SquirrelMail 1.4.22 calls unserialize for the $attachments value, which originates from an HTTP POST request. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3663. 'SEARCH ALL searchwhere \'searchwhat\'' was changed to ss. Squirrelmail login nmu, Las grullas de la paz, Low poly effect c4d, Ty morlais. ![]() NOTE: this issue exists because of an incomplete fix for CVE-2009-1579.Ī certain Red Hat patch for SquirrelMail 1.4.8 sets the same SQMSESSID cookie value for all sessions, which allows remote authenticated users to access other users' folder lists and configuration data in opportunistic circumstances by using the standard webmail.php interface. It looks like a bug was introduced in 1.2.5 in functions/imapsearch.php. Cise beachbody, Rajasekhar telugu hit movies list, Party down south meme. We encourage all SquirrelMail administrators to use a recent snapshot of either version and as always, let us know. The nightly snapshots for versions 1.4.23 and 1.5.2 found on our download page include compatibility for the newest versions of PHP 8. The map_yp_alias function in functions/imap_general.php in SquirrelMail before 1.4.19-1 on Debian GNU/Linux, and possibly other operating systems and versions, allows remote attackers to execute arbitrary commands via shell metacharacters in a username string that is used by the ypmatch program. SquirrelMail - Webmail for Nuts ANNOUNCE: PHP 8 Compatibility. NOTE: this issue exists because of an incorrect fix for CVE-2010-2813.ģ Imap General.php, Squirrelmail, Squirrelmail1.4.19-1 Functions/imap_general.php in SquirrelMail, as used in Red Hat Enterprise Linux (RHEL) 4 and 5, does not properly handle 8-bit characters in passwords, which allows remote attackers to cause a denial of service (disk consumption) by making many IMAP login attempts with different usernames, leading to the creation of many preference files.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |