| VID |
22095 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
An input validation error exists in SquirrelMail on the web server that could allow remote users to cause arbitrary files to be included and loaded by the PHP interpreter at runtime.
SquirrelMail is an easy to use, good looking and functional web mail system written in PHP.
SquirrelMail makes insecure calls to the PHP function include(). The SquirrelMail versions up to and including 1.0.4 allows an attacker to execute arbitrary commands on the remote web server, or to read the configuration files of the installation thereby gaining database credentials with the permissions of the web server user.
* References:
http://www.securityfocus.com/bid/2968
http://www.squirrelmail.org |
| Recommendation |
Upgrade to the latest version. You can download a version above 1.0.5 from:
http://www.squirrelmail.org
http://prdownloads.sourceforge.net/squirrelmail/squirrelmail-1.0.5.tar.gz |
| Related URL |
CVE-2001-1159 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
