Menu
▾
▴
[SM-STABLE] security bug: Changes made to "Options" features are not authenticated?
|
From: Rolan Y. <ro...@om...> - 2002-05-13 18:46:23
|
There may be a security vulnerability in the latest Squirrelmail which allows any user with a valid account to modify the "Personal Information" preferences of other users on the system. My test configuration uses mysql virtual users with courier imap and Postfix. The Squirrelmail is configured to use MySQL to store the personal information as well. Procedure: After logging into SquirrelMail, right click on "Options" and open in new window. Rewrite the url "http://www.yourserver.com/smail/src/options.php" with: http://www.yourserver.com/smail/src/options.php?username=anotheruser where "anotheruser" is anyone else that holds an account on the system and then hit enter to load the page. Clicking on "Personal Information" should allow modification of "anotheruser's" information. Display Preferences might also be modifiable (I have not tried). Fix?: Squirrelmail needs to authenticate the user's name along with password before permitting any modifications to the "Options" preferences. Rolan Yang Omnistep Inc |