Package name
squirrelmail
Date
2006-06-14
Advisory ID
MDKSA-2006:101
Affected versions
CS3.0 i586 , CS3.0 x86_64

Problem description

A PHP remote file inclusion vulnerability in functions/plugin.php
in SquirrelMail 1.4.6 and earlier, if register_globals is enabled and
magic_quotes_gpc is disabled, allows remote attackers to execute
arbitrary PHP code via a URL in the plugins array parameter.

NOTE: this issue has been disputed by third parties, who state that
Squirrelmail provides prominent warnings to the administrator when
register_globals is enabled.

Updated packages are patched to address these issues.

Updated packages

CS3.0 i586

 129dc516318e39d58c4fdef7d0a41f02  corporate/3.0/RPMS/squirrelmail-1.4.5-1.3.C30mdk.noarch.rpm
 080b141df7eeefff678572a92899a100  corporate/3.0/RPMS/squirrelmail-poutils-1.4.5-1.3.C30mdk.noarch.rpm
 98f98af3cc7d023838dba84c6fb0651c  corporate/3.0/SRPMS/squirrelmail-1.4.5-1.3.C30mdk.src.rpm

CS3.0 x86_64

 d82bab3f4b286eb2c3ad3bcbe4d0b23c  x86_64/corporate/3.0/RPMS/squirrelmail-1.4.5-1.3.C30mdk.noarch.rpm
 919fb3eb66dba1d83d19329b04283885  x86_64/corporate/3.0/RPMS/squirrelmail-poutils-1.4.5-1.3.C30mdk.noarch.rpm
 98f98af3cc7d023838dba84c6fb0651c  x86_64/corporate/3.0/SRPMS/squirrelmail-1.4.5-1.3.C30mdk.src.rpm

References