|
Family: CGI abuses --> Category: attack
SquirrelMail session_expired_post Arbitrary Variables Overwriting Vulnerability Vulnerability Scan
Vulnerability Scan Summary Tries to overwrite a variable SquirrelMail
Detailed Explanation for this Vulnerability Test
Synopsis :
The remote webmail application suffers from a data modification
vulnerability.
Description :
The installed version of SquirrelMail allows for restoring expired
sessions in an unsafe manner. Using a specially-crafted expired
session, a user can leverage this issue to take control of arbitrary
variables used by the affected application, which can lead to other
attacks against the system, such as reading or writing of arbitrary
files on the system.
See also :
http://www.gulftech.org/?node=research&article_id=00108-08112006
http://www.squirrelmail.org/security/issue/2006-08-11
http://archives.neohapsis.com/archives/bugtraq/2006-08/0241.html
Solution :
Apply the patch referenced in the vendor advisory above or upgrade to
SquirrelMail version 1.4.8 or later.
Threat Level:
Medium / CVSS Base Score : 4.7
(AV:R/AC:L/Au:NR/C:P/I:P/A:N/B:N)
Click HERE for more information and discussions on this network vulnerability scan.
|