FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

squirrelmail -- _$POST variable handling allows for various attacks

Affected packages
1.4.0 <= ja-squirrelmail < 1.4.5
1.4.0 <= squirrelmail < 1.4.5

Details

VuXML ID 7d52081f-2795-11da-bc01-000e0c2e438a
Discovery 2005-07-13
Entry 2005-09-17
Modified 2005-09-19

A Squirrelmail Advisory reports:

An extract($_POST) was done in options_identities.php which allowed for an attacker to set random variables in that file. This could lead to the reading (and possible writing) of other people's preferences, cross site scripting or writing files in webserver-writable locations.

References

Bugtraq ID 14254
CVE Name CVE-2005-2095
URL http://www.squirrelmail.org/security/issue/2005-07-13