On 10/9/07, Tomas Kuliavas <tokul@xxxxxxxxxxxxxxxxxxxxx> wrote: > > CentOS 4.5 w/ squirrelmail-1.4.8-4.0.1.el4.centos. Plugins are: > > CVE-2006-6142, CVE-2007-1262, CVE-2007-2589. Please note that html > filtering functions must be patched to 1.4.10+ level. Having only 1.4.9a > patches is not enough. If changelog says that CVE-2006-6142 is fixed, > check functions/mime.php and make sure that it is similar to 1.4.10a file > and not to 1.4.9a file. Yeah, the first thing you do when you have a problem like this is ensure all your software is up to date. I am shocked the OP lets that slip by. > > Installed Plugins > > 1. delete_move_next > > 2. squirrelspell > > 3. newmail > > 4. mpppolicygroup > > 5. quota_usage > > > > Available Plugins: > > 6. translate > > 7. compatibility > > 8. spamcop > > 9. sent_subfolders > > 10. check_quota > > Version of check_quota plugin? PHP register_globals setting? > > > Per some suggetions in the thread I was able to determine that they are > > not using "mailto.php", but rather compose.php: > > > > /var/log/httpd/access_log:196.1.179.183 - - [07/Oct/2007:21:54:10 -0500] > > "GET /webmail/src/compose.php?mail_sent=yes HTTP/1.1" 200 37102 > > "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0"; > > "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" > > Wrong log entry. What you have in logs before this redirection is made in > SquirrelMail. This page only displays notice that message is send. > > If you know ip of spammer, check all log entries from that ip address. You > must trace whole path. How do they log in? Is there a legit login for same > account at that time? Which pages are opened? See the other, original thread about this. The OP should not be creating duplicate threads with identical information in them. > Have you tried to protect your webmail traffic? Signed SSL certificate > costs less than 20 USD. ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
