From: David R. <db...@gr...> - 2003-06-23 19:12:55
|
I verified the exploits on 1.2.11. They don't appear to work on 1.4.0: http://www.securityfocus.com/bid/7952/exploit/ Looks bad! -Dave Brian G. Peterson said: > I saw this in the linux rollup of the weekly Bugtraq messages. I > thought someone should check it out and respond, as well as making sure > that SM 1.4.0 and the STABLE and DEVEL branches are not affected. > > I looked though my bugtraq archive, and searched online, and can't find > this bugtraq message at all. Is this a re-hash of the stuff that was > reported on Bugtraq in March/April? > > More information about this is available at the URL below. > > - Brian Peterson > > --- Relevant portions here: --- > 21. Squirrelmail Multiple Remote Vulnerabilities > BugTraq ID: 7952 > Remote: Yes > Date Published: Jun 17 2003 12:00AM > Relevant URL: > http://www.securityfocus.com/bid/7952 > Summary: > > SquirrelMail is a webmail program implemented in the PHP4 language. It > is available for Linux and Unix based operating systems. > > Multiple vulnerabilities have been reported for SquirrelMail PHP script= s > which could be exploited to carry out a variety of attacks. Successful > exploitation could result in a wide variety of circumstances including > data corruption, information disclosure, and privilege escalation. > > These vulnerabilities were reported for SquirellMail 1.2.11, however, > earlier versions may also be affected. > > It should be noted that as further analysis is carried out on these > vulnerabilities, each issue will be given their own individual Bugtraq > ID. At that time, this BID will be retired. |