Re: squirrelmail bug
From: Konstantin Riabitsev (icon@phy.duke.edu)Date: 01/24/02
- Previous message: bugzilla@redhat.com: "[RHSA-2002:007-16] Updated 2.4 kernel available"
- Maybe in reply to: appelast@bsquad.sm.pl: "squirrelmail bug"
- Next in thread: Adam Herscher: "Re: squirrelmail bug"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 24 Jan 2002 21:20:44 -0000 From: Konstantin Riabitsev <icon@phy.duke.edu> To: bugtraq@securityfocus.com('binary' encoding is not supported, stored as-is)
In-Reply-To: <1176.213.134.140.130.1011887757.squirrel@mail.bsquad.sm.pl>
For future reference:
Please be cool -- first notify the authors of the
package before posting to bugtraq. This is the
generally accepted etiquette for handling the
security-related bugs and allows developers to
come up with the fix before the problem is widely
known.
Here is the fix for the arbitrary remote execution
with httpd-user rights. Place this file in the
squirrelmail/plugins/squirrelspell directory and
execute it to fix the vulnerability.
--- begin sqspell_security_fix.sh ---
#!/bin/sh
sed "s/.mod.php/.mod/g" sqspell_interface.php > tmp.1
sed "s/.mod.php/.mod/g" sqspell_options.php > tmp.2
mv -f tmp.1 sqspell_interface.php
mv -f tmp.2 sqspell_options.php
cd modules
for FILE in *.mod.php; do
NEWFILE=`echo $FILE | sed 's/.php//'`
mv $FILE $NEWFILE
done
--- end sqspell_security_fix.sh ---
http://www.dulug.duke.edu/~icon/misc/security_fix.sh.txt
squirrelmail-1.2.4 will contain the fix and should
be released shortly.
Regards,
--
Konstantin Riabitsev
- Previous message: bugzilla@redhat.com: "[RHSA-2002:007-16] Updated 2.4 kernel available"
- Maybe in reply to: appelast@bsquad.sm.pl: "squirrelmail bug"
- Next in thread: Adam Herscher: "Re: squirrelmail bug"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
