漏洞信息详情
SquirrelMail 'mail_fetch' 远程信息泄露漏洞
- CNNVD编号:CNNVD-201006-359
- 危害等级: 低危
- CVE编号: CVE-2010-1637
- 漏洞类型: 权限许可和访问控制
- 发布时间: 2010-05-20
- 威胁类型: 远程
- 更新时间: 2010-06-24
- 厂 商: squirrelmail
- 漏洞来源: TEHTRI-Security
漏洞简介
SquirrelMail是一个多功能的用PHP4实现的Webmail程序,可运行于Linux/Unix类操作系统下,它允许利用plugin来扩展系统的功能。
SquirrelMail的Mail Fetch插件存在漏洞,远程认证用户可利用被修改的POP3端口号绕开防火墙限制,并以SquirrelMail为代理服务器扫描内部网络。
漏洞公告
目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
MandrakeSoft Enterprise Server 5 x86_64
Mandriva squirrelmail-cyrus-1.4.19-2.3mdvmes5.1.noarch.rpm
http://www.mandriva.com/en/download/
Mandriva squirrelmail-lt-1.4.19-2.3mdvmes5.1.noarch.rpm
http://www.mandriva.com/en/download/
Mandriva squirrelmail-tr-1.4.19-2.3mdvmes5.1.noarch.rpm
http://www.mandriva.com/en/download/
Mandriva squirrelmail-poutils-1.4.19-2.3mdvmes5.1.noarch.rpm
http://www.mandriva.com/en/download/
Mandriva squirrelmail-ms-1.4.19-2.3mdvmes5.1.noarch.rpm
http://www.mandriva.com/en/download/
Mandriva squirrelmail-nl-1.4.19-2.3mdvmes5.1.noarch.rpm
http://www.mandriva.com/en/download/
Mandriva squirrelmail-hu-1.4.19-2.3mdvmes5.1.noarch.rpm
http://www.mandriva.com/en/download/
Mandriva squirrelmail-el-1.4.19-2.3mdvmes5.1.noarch.rpm
http://www.mandriva.com/en/download/
Mandriva squirrelmail-it-1.4.19-2.3mdvmes5.1.noarch.rpm
http://www.mandriva.com/en/download/
Mandriva squirrelmail-zh_TW-1.4.19-2.3mdvmes5.1.noarch.rpm
http://www.mandriva.com/en/download/
Mandriva squirrelmail-eu-1.4.19-2.3mdvmes5.1.noarch.rpm
http://www.mandriva.com/en/download/
Mandriva squirrelmail-de-1.4.19-2.3mdvmes5.1.noarch.rpm
http://www.mandriva.com/en/download/
Mandriva squirrelmail-ka-1.4.19-2.3mdvmes5.1.noarch.rpm
http://www.mandriva.com/en/download/
Mandriva squirrelmail-sl-1.4.19-2.3mdvmes5.1.noarch.rpm
http://www.mandriva.com/en/download/
Mandriva squirrelmail-fy-1.4.19-2.3mdvmes5.1.noarch.rpm
http://www.mandriva.com/en/download/
Mandriva squirrelmail-id-1.4.19-2.3mdvmes5.1.noarch.rpm
http://www.mandriva.com/en/download/
Mandriva squirrelmail-vi-1.4.19-2.3mdvmes5.1.noarch.rpm
http://www.mandriva.com/en/download
Mandriva squirrelmail-ja-1.4.19-2.3mdvmes5.1.noarch.rpm
http://www.mandriva.com/en/download
Mandriva squirrelmail-sv-1.4.19-2.3mdvmes5.1.noarch.rpm
http://www.mandriva.com/en/download/
Mandriva squirrelmail-ro-1.4.19-2.3mdvmes5.1.noarch.rpm
http://www.mandriva.com/en/download/
参考网址
来源: MLIST
名称: [oss-security] 20100621 Re: [SquirrelMail-Security] CVE Request for Horde and Squirrelmail
链接:http://www.openwall.com/lists/oss-security/2010/06/21/1
来源: MLIST
名称: [oss-security] 20100525 Re: CVE Request for Horde and Squirrelmail
链接:http://www.openwall.com/lists/oss-security/2010/05/25/9
来源: MLIST
名称: [oss-security] 20100525 Re: CVE Request for Horde and Squirrelmail
链接:http://www.openwall.com/lists/oss-security/2010/05/25/3
来源: MISC
链接:http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/plugins/mail_fetch/options.php?r1=13951&r2=13950&pathrev=13951
来源: MISC
链接:http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/plugins/mail_fetch/functions.php?r1=13951&r2=13950&pathrev=13951
来源: squirrelmail.org
链接:http://squirrelmail.org/security/issue/2010-06-21
来源: MISC
链接:http://conference.hitb.org/hitbsecconf2010dxb/materials/D1%20-%20Laurent%20Oudot%20-%20Improving%20the%20Stealthiness%20of%20Web%20Hacking.pdf#page=69
受影响实体
- Squirrelmail Squirrelmail:1.2.10
- Squirrelmail Squirrelmail:1.2.1
- Squirrelmail Squirrelmail:1.2.2
- Squirrelmail Squirrelmail:1.2.11
- Squirrelmail Squirrelmail:1.2.4
补丁
暂无
评论