Security

DoS risk against login page

Date:

2010-07-23

Description:

A bug has been identified in SquirrelMail that poses a denial of service risk. The problem exists in SquirrelMail versions up through 1.4.20 wherein an attacker can submit random login attempts with 8-bit characters in the password. This will cause SquirrelMail to temporarily accept the login (further actions will all fail; user is never *actually* logged in) and create a preferences file (if one does not already exist) for the given username. An attacker could continue to use random usernames with the same password until enough preference files are created that the server runs out of hard disk space. We consider this a relatively low-risk problem, but it nevertheless has been fixed in SquirrelMail version 1.4.21.

Affected Versions:

<= 1.4.20

Register Globals:

Register_globals does not have to be on for this issue.

CVE ID(s):

CVE-2010-2813

Patch:

view patch

Credits:

Mikhail Goriachev

This page last updated:

2010-07-23 09:27:06