Re: squirrelmail 1.2.5 email user can execute command

• Previous message: securityat_private: "Security Update: [CSSA-2002-005.0] Linux - LD_LIBRARY_PATH problem in KDE sessions"
• In reply to: pokleyzz sakamaniaka: "squirrelmail 1.2.5 email user can execute command"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2002-03-27 at 20:16, pokleyzz sakamaniaka wrote:
> email user  can append $THEME variable through 
> cookies

This is very obscure and is limited only to valid users within your
squirrelmail application (e.g. the person has to have a valid login in
order to exploit this vulnerability). The problem is fixed in the
current CVS and will be out with Squirrelmail-1.2.6. Here is the fix,
should you want to apply it, or just wait till the next release, since
this is not a high-risk vulnerability.

Regards,
Konstantin Riabitsev,
Squirrelmail Bugmaster

hotfix:

--- validate.php.orig	Sun Mar 31 16:15:52 2002
+++ validate.php	Fri Mar 29 00:28:05 2002
@@ -61,6 +61,15 @@
 * Include them down here instead of at the top so that all config
 * variables overwrite any passed in variables (for security).
 */
+
+/**
+ * Reset the $theme() array in case a value was passed via a cookie.
+ * This is until theming is rewritten.
+ */
+global $theme;
+unset($theme);
+$theme=array();
+
 require_once('../config/config.php');
 require_once('../src/load_prefs.php');
 require_once('../functions/page_header.php');

• application/pgp-signature attachment: This is a digitally signed message part

• Next message: matthewat_private: "popper_mod 1.2.1 and previous accounts compromise"
• Previous message: securityat_private: "Security Update: [CSSA-2002-005.0] Linux - LD_LIBRARY_PATH problem in KDE sessions"
• In reply to: pokleyzz sakamaniaka: "squirrelmail 1.2.5 email user can execute command"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Apr 01 2002 - 15:34:19 PST