漏洞信息详情
SquirrelMail options_identities.php POST变量处理漏洞
- CNNVD编号:CNNVD-200507-171
- 危害等级: 低危
- CVE编号: CVE-2005-2095
- 漏洞类型: 跨站脚本
- 发布时间: 2003-07-18
- 威胁类型: 远程
- 更新时间: 2006-06-15
- 厂 商: squirrelmail
- 漏洞来源: James Bercegay se...
漏洞简介
SquirrelMail是一套PHP4实现的个多功能Webmail程序。
SquirrelMail 1.4.4及之前版本中存在POST变量处理漏洞。
由于使用extract函数处理POST变量,使得攻击者可能利用此漏洞读取或修改其他用户的偏好设置、产生跨站脚本攻击或写入任意文件。
漏洞公告
目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
http://sourceforge.net/projects/squirrelmail/files/
参考网址
来源: DEBIAN
名称: DSA-756
链接:http://www.debian.org/security/2005/dsa-756
来源: FEDORA
名称: FLSA:163047
链接:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=163047
来源: XF
名称: squirrelmail-set-post-variable(21359)
链接:http://xforce.iss.net/xforce/xfdb/21359
来源: www.squirrelmail.org
链接:http://www.squirrelmail.org/security/issue/2005-07-13
来源: BID
名称: 14254
链接:http://www.securityfocus.com/bid/14254
来源: BUGTRAQ
名称: 20050714 SquirrelMail Arbitrary Variable Overwriting Vulnerability
链接:http://www.securityfocus.com/archive/1/405202
来源: BUGTRAQ
名称: 20050714 [SM-ANNOUNCE] Patch available for CAN-2005-2095
链接:http://www.securityfocus.com/archive/1/405200
来源: REDHAT
名称: RHSA-2005:595
链接:http://www.redhat.com/support/errata/RHSA-2005-595.HTML
来源: MISC
链接:http://www.gulftech.org/?node=research&article_id=00090-07142005
来源: CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple
名称: CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple-SA-2005-08-15
链接:http://lists.CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple.com/archives/security-announce/2005/Aug/msg00000.HTML
来源: CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple
名称: CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple-SA-2005-08-17
链接:http://lists.CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple.com/archives/security-announce/2005//Aug/msg00001.HTML
来源: SUSE
名称: SUSE-SR:2005:018
链接:http://www.novell.com/linux/security/advisories/2005_18_sr.HTML
受影响实体
- Squirrelmail Squirrelmail:1.0.4
- Squirrelmail Squirrelmail:1.0.5
- Squirrelmail Squirrelmail:1.2.0
- Squirrelmail Squirrelmail:1.2.1
- Squirrelmail Squirrelmail:1.2.2
补丁
暂无
评论