Menu
▾
▴
#94 security hole squirrelmail mails real userid
When sending composed mail, Squirrelmail 1.4.2
generates a "Received" line which contains a valid
login id and may contain a valid internal network
address for the system upon which it is run. Such
information is useful to hackers and should not
generally be made public.
Possible solution is to modify code in
Deliver.class.php at or about line 260 to remove
generation of the "Received" line associated with the
"SquirrelMail authenticated user". Note that the MTA
will generate a separate "Received" line indicating
reception of the mail from SquirrelMail (using the less
sensitive userid "apache" and the MTA's translation of
its hostname); hence the SquirrelMail-generated
"Received" line is redundant.
simple patch for stable
Logged In: YES
user_id=225877
fixed in SquirrelMail 1.4.5cvs. Used patch is attached.
final patch
Logged In: YES
user_id=1128943
Originator: NO
Using OneTimePadEncrypt to encrypt the header lets any user retrieve the value for the encode_header_key variable. As soon as the encrypted plaintext is known, (plain) ^ (crypt) shows the passwort.
Further comments about this issue have recently been posted to artifact #880029 here:
https://sourceforge.net/tracker/index.php?func=detail&aid=880029&group_id=311&atid=350311