SquirrelMail  
Donations
News
About
Support
Screen shots
Download
Plugins
Documentation
Sponsors
Bounties













Security Notice
Phishing campain
Version 1.4.15
Security Upgrade

Security

DoS risk against login page

Date:
2010-07-23
Description:
A bug has been identified in SquirrelMail that poses a denial of service risk. The problem exists in SquirrelMail versions up through 1.4.20 wherein an attacker can submit random login attempts with 8-bit characters in the password. This will cause SquirrelMail to temporarily accept the login (further actions will all fail; user is never *actually* logged in) and create a preferences file (if one does not already exist) for the given username. An attacker could continue to use random usernames with the same password until enough preference files are created that the server runs out of hard disk space. We consider this a relatively low-risk problem, but it nevertheless has been fixed in SquirrelMail version 1.4.21.
Affected Versions:
<= 1.4.20
Register Globals:
Register_globals does not have to be on for this issue.
CVE ID(s):
CVE-2010-2813
Patch:
view patch
Credits:
Mikhail Goriachev
This page last updated:
2010-07-23 09:27:06
© 1999-2010 by The SquirrelMail Project Team