SquirrelMail -- post-authentication access privileges
Florian Grunow reports:
An attacker able to exploit this vulnerability can extract files
of the server the application is running on. This may include
configuration files, log files and additionally all files that are
readable for all users on the system. This issue is
post-authentication. That means an attacker would need valid
credentials for the application to log in or needs to exploit an
additional vulnerability of which we are not aware of at this point
An attacker would also be able to delete files on the system, if
the user running the application has the rights to do so.
Does this issue affect me?
Likely yes, if you are using Squirrelmail. We checked the latest
development version, which is 1.5.2-svn and the latest version
available for download at this point of time, 1.4.22. Both contain
the vulnerable code.
Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright