FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

SquirrelMail -- post-authentication access privileges

Affected packages
squirrelmail <= 20170705


VuXML ID 928d5c59-2a5a-11e8-a712-0025908740c2
Discovery 2017-05-21
Entry 2018-03-17

Florian Grunow reports:

An attacker able to exploit this vulnerability can extract files of the server the application is running on. This may include configuration files, log files and additionally all files that are readable for all users on the system. This issue is post-authentication. That means an attacker would need valid credentials for the application to log in or needs to exploit an additional vulnerability of which we are not aware of at this point of time.

An attacker would also be able to delete files on the system, if the user running the application has the rights to do so.

Does this issue affect me?

Likely yes, if you are using Squirrelmail. We checked the latest development version, which is 1.5.2-svn and the latest version available for download at this point of time, 1.4.22. Both contain the vulnerable code.


CVE Name CVE-2018-8741