Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2006-2842

Overview

Vulnerability Score 7.5 7.5
CVE Id CVE-2006-2842
Last Modified 07 Mar 2011 09:37:07
Published 06 Jun 2006 04:06:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2006-2842

Summary

** DISPUTED ** PHP remote file inclusion vulnerability in functions/plugin.php in SquirrelMail 1.4.6 and earlier, if register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary PHP code via a URL in the plugins array parameter. NOTE: this issue has been disputed by third parties, who state that Squirrelmail provides prominent warnings to the administrator when register_globals is enabled. Since the varieties of administrator negligence are uncountable, perhaps this type of issue should not be included in CVE. However, the original developer has posted a security advisory, so there might be relevant real-world environments under which this vulnerability is applicable.

Vulnerable Systems

Application

  • Squirrelmail 1.0.4

  • Squirrelmail 1.0.5

  • Squirrelmail 1.2.0

  • Squirrelmail 1.2.1

  • Squirrelmail 1.2.10

  • Squirrelmail 1.2.11

  • Squirrelmail 1.2.2

  • Squirrelmail 1.2.3

  • Squirrelmail 1.2.4

  • Squirrelmail 1.2.5

  • Squirrelmail 1.2.6

  • Squirrelmail 1.2.7

  • Squirrelmail 1.2.8

  • Squirrelmail 1.2.9

  • Squirrelmail 1.4

  • Squirrelmail 1.4.0

  • Squirrelmail 1.4.1

  • Squirrelmail 1.4.2

  • Squirrelmail 1.4.3

  • Squirrelmail 1.4.3 R3

  • Squirrelmail 1.4.3 Rc1

  • Squirrelmail 1.4.3a

  • Squirrelmail 1.4.4

  • Squirrelmail 1.4.4 Rc1

  • Squirrelmail 1.4.5

  • Squirrelmail 1.4.6

  • Squirrelmail 1.4.6 Rc1


References

CONFIRM - http://www.squirrelmail.org/security/issue/2006-06-01

CONFIRM - http://squirrelmail.cvs.sourceforge.net/squirrelmail/squirrelmail/functions/global.php?r1=1.27.2.16&r2=1.27.2.17&view=patch&pathrev=SM-1_4-STABLE

SECUNIA - 20406

VUPEN - ADV-2007-2732

VUPEN - ADV-2006-2101

BID - 18231

BUGTRAQ - 20060601 Squirrelmail local file inclusion

SECTRACK - 1016209

BID - 25159

REDHAT - RHSA-2006:0547

SUSE - SUSE-SR:2006:017

MANDRIVA - MDKSA-2006:101

SECUNIA - 26235

SECUNIA - 21262

SECUNIA - 21159

SECUNIA - 20931

APPLE - APPLE-SA-2007-07-31

CONFIRM - http://docs.info.apple.com/article.html?artnum=306172

SGI - 20060703-01-P

Related Patches

Apple 2007-07-31 Security Update 2007-007 (10.4.10 Server PPC) (Rev 2)

Apple 2007-07-31 Security Update 2007-007 (10.4.10 PPC) (Rev 2)

Apple 2007-07-31 Security Update 2007-007 (10.4.10 Server Universal) (Rev 2)

Apple 2007-07-31 Security Update 2007-007 (10.4.10 Universal) (Rev 2)


Last Updated: 27 May 2016 10:42:46