[24902] in bugtraq
Re: squirrelmail 1.2.5 email user can execute command
daemon@ATHENA.MIT.EDU (Konstantin Riabitsev)
Mon Apr 1 18:42:07 2002
From: Konstantin Riabitsev <icon@phy.duke.edu>
To: bugtraq@securityfocus.com
In-Reply-To: <20020328011623.27428.qmail@mail.securityfocus.com>
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature";
boundary="=-+1+XncOIM50/DjGH2qZC"
Date: 31 Mar 2002 16:21:40 -0500
Message-Id: <1017609700.17193.9.camel@pigwidgeon.adsl.duke.edu>
Mime-Version: 1.0
--=-+1+XncOIM50/DjGH2qZC
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
On Wed, 2002-03-27 at 20:16, pokleyzz sakamaniaka wrote:
> email user can append $THEME variable through=20
> cookies
This is very obscure and is limited only to valid users within your
squirrelmail application (e.g. the person has to have a valid login in
order to exploit this vulnerability). The problem is fixed in the
current CVS and will be out with Squirrelmail-1.2.6. Here is the fix,
should you want to apply it, or just wait till the next release, since
this is not a high-risk vulnerability.
Regards,
Konstantin Riabitsev,
Squirrelmail Bugmaster
hotfix:
--- validate.php.orig Sun Mar 31 16:15:52 2002
+++ validate.php Fri Mar 29 00:28:05 2002
@@ -61,6 +61,15 @@
* Include them down here instead of at the top so that all config
* variables overwrite any passed in variables (for security).
*/
+
+/**
+ * Reset the $theme() array in case a value was passed via a cookie.
+ * This is until theming is rewritten.
+ */
+global $theme;
+unset($theme);
+$theme=3Darray();
+
require_once('../config/config.php');
require_once('../src/load_prefs.php');
require_once('../functions/page_header.php');
--=-+1+XncOIM50/DjGH2qZC
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEABECAAYFAjynfeQACgkQlVxa81EWb4gE1QCgpONxpVYV4wUlyeVfnyzFe0Du
Q4UAoIHReLLgq9UPLZx2+bhUe4RIxLQh
=hBLY
-----END PGP SIGNATURE-----
--=-+1+XncOIM50/DjGH2qZC--
