Bugtraq mailing list archives
Re: squirrelmail bug
From: Konstantin Riabitsev <icon () phy duke edu>
Date: 24 Jan 2002 21:20:44 -0000
In-Reply-To: <1176.213.134.140.130.1011887757.squirrel () mail bsquad sm pl> For future reference: Please be cool -- first notify the authors of the package before posting to bugtraq. This is the generally accepted etiquette for handling the security-related bugs and allows developers to come up with the fix before the problem is widely known. Here is the fix for the arbitrary remote execution with httpd-user rights. Place this file in the squirrelmail/plugins/squirrelspell directory and execute it to fix the vulnerability. --- begin sqspell_security_fix.sh --- #!/bin/sh sed "s/.mod.php/.mod/g" sqspell_interface.php > tmp.1 sed "s/.mod.php/.mod/g" sqspell_options.php > tmp.2 mv -f tmp.1 sqspell_interface.php mv -f tmp.2 sqspell_options.php cd modules for FILE in *.mod.php; do NEWFILE=`echo $FILE | sed 's/.php//'` mv $FILE $NEWFILE done --- end sqspell_security_fix.sh --- http://www.dulug.duke.edu/~icon/misc/security_fix.sh.txt squirrelmail-1.2.4 will contain the fix and should be released shortly. Regards, -- Konstantin Riabitsev
Current thread:
- squirrelmail bug appelast (Jan 24)
- <Possible follow-ups>
- Re: squirrelmail bug Konstantin Riabitsev (Jan 24)
- Re: squirrelmail bug Adam Herscher (Jan 24)