SquirrelMail is a standards-based webmail package written in PHP4.
Jimmy Conner discovered a missing variable initialization in Squirrelmail.
This flaw could allow potential insecure file inclusions on servers where
the PHP setting “register_globals” is set to “On”. This is not a default or
recommended setting. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2005-0075 to this issue.
A URL sanitisation bug was found in Squirrelmail. This flaw could allow a
cross site scripting attack when loading the URL for the sidebar. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2005-0103 to this issue.
A missing variable initialization bug was found in Squirrelmail. This flaw
could allow a cross site scripting attack. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2005-0104 to
this issue.
Users of Squirrelmail are advised to upgrade to this updated package,
which contains backported patches to correct these issues.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
RedHat | any | src | squirrelmail | < 1.4.3a-9.EL4 | squirrelmail-1.4.3a-9.EL4.src.rpm |
RedHat | any | noarch | squirrelmail | < 1.4.3a-9.EL4 | squirrelmail-1.4.3a-9.EL4.noarch.rpm |