The SquirrelMail developers report:

A logged in user could overwrite random variables in compose.php, which might make it possible to read/write other users' preferences or attachments.

ge 1.4.0 lt 1.4.8,2

ge 1.4.0 lt 1.4.8

A SquirrelMail Security Advisory reports:

SquirrelMail 1.4.4 has been released to resolve a number of security issues disclosed below. It is strongly recommended that all running SquirrelMail prior to 1.4.4 upgrade to the latest release.

Remote File Inclusion

Manoel Zaninetti reported an issue in src/webmail.php which would allow a crafted URL to include a remote web page. This was assigned CAN-2005-0103 by the Common Vulnerabilities and Exposures.

Cross Site Scripting Issues

A possible cross site scripting issue exists in src/webmail.php that is only accessible when the PHP installation is running with register_globals set to On. This issue was uncovered internally by the SquirrelMail Development team. This isssue was assigned CAN-2005-0104 by the Common Vulnerabilities and Exposures.

A second issue which was resolved in the 1.4.4-rc1 release was uncovered and assigned CAN-2004-1036 by the Common Vulnerabilities and Exposures. This issue could allow a remote user to send a specially crafted header and cause execution of script (such as javascript) in the client browser.

Local File Inclusion

A possible local file inclusion issue was uncovered by one of our developers involving custom preference handlers. This issue is only active if the PHP installation is running with register_globals set to On.

< 1.4.4

A Squirrelmail Advisory reports:

An extract($_POST) was done in options_identities.php which allowed for an attacker to set random variables in that file. This could lead to the reading (and possible writing) of other people's preferences, cross site scripting or writing files in webserver-writable locations.

ge 1.4.0 lt 1.4.5

A SquirrelMail Security Notice reports:

There is a cross site scripting issue in the decoding of encoded text in certain headers. SquirrelMail correctly decodes the specially crafted header, but doesn't sanitize the decoded strings.

< 1.4.3a_4,2

< 1.4.3a_3

A SquirrelMail Security Advisory reports:

Several cross site scripting (XSS) vulnerabilities have been discovered in SquirrelMail versions 1.4.0 - 1.4.4.

The vulnerabilities are in two categories: the majority can be exploited through URL manipulation, and some by sending a specially crafted email to a victim. When done very carefully, this can cause the session of the user to be hijacked.

ge 1.4.0 le 1.4.4