Threat Level: green Handler on Duty: Tom Webb

SANS ISC: SquirrelMail release 1.4.13 - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
SquirrelMail release 1.4.13

The analysis of the Squirrelmail 1.4.12 code base is in, and it would look more serious than first thought. 1.4.11 would appear to have also been affected, so they have released 1.4.13 and have posted the following announcement:

Due to the package compromise of 1.4.11, and 1.4.12, we are forced to release 1.4.13 to ensure no confusions. While initial review didn't uncover a need for concern, several proof of concepts show that the package alterations introduce a high risk security issue, allowing remote inclusion of files. These changes would allow a remote user the ability to execute exploit code on a victim machine, without any user interaction on the victim's server. This could grant the attacker the ability to deploy further code on the victim's server.

Details, and the updated bundles (please remember to check those MD5's and PGP sig's) at www.squirrelmail.org/

 

Stephen

89 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!