Security hole in SquirrelMail
The developers of the webmail software SquirrelMail have released a new version to close a security hole. The fix involves a flaw that could allow attackers registered with the webmailer to view and manipulate the last email composed by another user.
The vulnerability is located in a function of the PHP software that allows continued composition of email messages even after a timeout of the user session. According to the developers, registered users could exploit the hole in the user settings to read and write email attachments from other users. The documentation for a repair patch lists numerous variables such as send_to_bcc or body as modifiable by attackers. This raises suspicions that the extent to which mails can be manipulated is even broader than announced. One interesting point about the hole: The PHP option register_globals has no influence whatsoever.
The SquirrelMail developers are also making available a minimal patch that deletes the flawed function.
The security hole affects SquirrelMail 1.4.0 up to version 1.4.7. The currently available version, 1.4.8, closes the vulnerability, as well as fixing other flaws. The developers recommend that administrators of SquirrelMail installations should update to the new version immediately.
- SquirrelMail 1.4.8 released - fixes variable overwriting attack, advisory from the Bugtraq mailing list