A missing variable initialisation in functions/prefs.php allowed for potential insecure file inclusions. Only environments where the PHP setting register_globals is set to On are vulnerable. Affected versions: SquirrelMail 1.4.3, 1.4.3a, 1.4.4-RC1 Fixed in: SquirrelMail 1.4.4 This vulnerability was discovered by SquirrelMail developer Jimmy Conner. Currently the 1.4.4 release is planned for monday, as there still is some translation stuff pending. Here's the fix upstream uses. Since RH released an advisory for 1.4.3a I guess this problem affects them at least. Regards, Joey Index: plugin.txt =================================================================== RCS file: /cvsroot/squirrelmail/squirrelmail/doc/plugin.txt,v retrieving revision 1.24.2.24 retrieving revision 1.24.2.25 diff -u -w -r1.24.2.24 -r1.24.2.25 --- plugin.txt 29 Dec 2004 23:17:11 -0000 1.24.2.24 +++ plugin.txt 14 Jan 2005 06:15:22 -0000 1.24.2.25 @@ -288,6 +288,7 @@ decode_body functions/mime.php hook_func generic_header functions/page_header.php do_hook menuline functions/page_header.php do_hook + prefs_backend functions/prefs.php hook_func loading_prefs include/load_prefs.php do_hook addrbook_html_search_below src/addrbook_search_html.php do_hook addressbook_bottom src/addressbook.php do_hook Index: prefs.php =================================================================== RCS file: /cvsroot/squirrelmail/squirrelmail/functions/prefs.php,v retrieving revision 1.62.2.6 retrieving revision 1.62.2.7 diff -u -w -r1.62.2.6 -r1.62.2.7 --- prefs.php 27 Dec 2004 15:03:46 -0000 1.62.2.6 +++ prefs.php 14 Jan 2005 06:15:23 -0000 1.62.2.7 @@ -14,6 +14,7 @@ /** Include global.php */ require_once(SM_PATH . 'functions/global.php'); +require_once(SM_PATH . 'functions/plugin.php'); sqgetGlobalVar('prefs_cache', $prefs_cache, SQ_SESSION ); sqgetGlobalVar('prefs_are_cached', $prefs_are_cached, SQ_SESSION ); @@ -31,7 +32,8 @@ $prefs_cache = array(); } -if (isset($prefs_backend) && file_exists(SM_PATH . $prefs_backend)) { +$prefs_backend = do_hook_function('prefs_backend'); +if (isset($prefs_backend) && !empty($prefs_backend) && file_exists(SM_PATH . $prefs_backend)) { require_once(SM_PATH . $prefs_backend); } elseif (isset($prefs_dsn) && !empty($prefs_dsn)) { require_once(SM_PATH . 'functions/db_prefs.php');
Probably better to wait for the official 1.4.4 on Monday. Eradicator: if you can't handle it on Monday, please tell us so that we find someone else to do the bump.
I'll take care of it on monday. should be a simple renaming.
Upstream still hasn't made a release...
Ok, can youu find someone else to bump it for me. I am going to sleep now, leaving in the morning, and they still haven't made the release.
Apparently this has been delayed until Friday.
Two more issues: http://cvs.sf.net/viewcvs.py/squirrelmail/squirrelmail/src/webmail.php?r1=1.92.2.8&r2=1.92.2.6&only_with_tag=SM-1_4-STABLE CAN-2005-0103 for cross site scripting CAN-2005-0104 for code injection via unsanitised integer variable Hopefully they will release soon.
1.4.4 released, please bump.
In CVS. Just need ppc to mark stable.
Thx Jeremy. ppc please mark stable.
GLSA drafted. Security please review. ppc please mark stable asap.
stable on ppc sorry for the wait
dada ppc
Not yet ppc stable in CVS... SeJo / ppc-team, please fix your keyword
SeJo markes ppc stable. Ready to send
GLSA 200501-39
