===================================================================== CERT-Renater Note d'Information No. 2006/VULN450 _____________________________________________________________________ DATE : 18/08/2006 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running SquirrelMail version prior to 1.4.8. ====================================================================== Hello all, Today SquirrelMail version 1.4.8 has been released with a collection of bugfixes and an important security fix. It was possible for an authenticated user to overwrite random variables in the compose.php script. This may open up possible attack vectors like reading or overwriting a user's preference file or attachments. We advise all current SquirrelMail users to upgrade. There's also a patch available against 1.4.7. The interesting thing is that the function that contained the flaw was actually broken. The function is used to resume a compose session of a user that is confronted with a session timeout after composing a long mail. We've got two patches available: a minimal one which just removes the code, since it was broken anyway, and a full version that repairs the functionality and closes the hole. SquirrelMail can be downloaded here: http://www.squirrelmail.org/download.php The patches can be found here: http://www.squirrelmail.org/patches/sqm1.4.7-expired-post-fix-minimal.patch http://www.squirrelmail.org/patches/sqm1.4.7-expired-post-fix-full.patch They also apply against the current development version. We'd like to thank James Bercegay of GulfTech Security Research for finding this issue and reporting it to us. Happy SquirrelMailing! Thijs Kinkhorst on behalf of the SquirrelMail team ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================