Hello all, Today SquirrelMail version 1.4.8 has been released with a collection of bugfixes and an important security fix. It was possible for an authenticated user to overwrite random variables in the compose.php script. This may open up possible attack vectors like reading or overwriting a user's preference file or attachments. We advise all current SquirrelMail users to upgrade. There's also a patch available against 1.4.7. The interesting thing is that the function that contained the flaw was actually broken. The function is used to resume a compose session of a user that is confronted with a session timeout after composing a long mail. We've got two patches available: a minimal one which just removes the code, since it was broken anyway, and a full version that repairs the functionality and closes the hole. SquirrelMail can be downloaded here: http://www.squirrelmail.org/download.php The patches can be found here: http://www.squirrelmail.org/patches/sqm1.4.7-expired-post-fix-minimal.patch http://www.squirrelmail.org/patches/sqm1.4.7-expired-post-fix-full.patch They can also be applied (although not entirely clean) against the current development version. We'd like to thank James Bercegay of GulfTech Security Research for finding this issue and reporting it to us. Happy SquirrelMailing! Thijs Kinkhorst on behalf of the SquirrelMail team
Attachment:
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
-- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
