SquirrelMail abook_database.php SQL Injection

2004-04-27T00:00:00
ID OSVDB:6841
Type osvdb
Reporter Marc Groot Koerkamp ()
Modified 2004-04-27T00:00:00

Description

Vulnerability Description

SquirrelMail contains a flaw that will allow an attacker to inject arbitrary SQL code. The issue is due to the insufficient sanitizing of data in input sent to the "abook_database.php" script. This will allow an attacker to inject or manipulate SQL queries. By sending a specially-crafted URL containing malicious SQL code, a remote attacker could add, modify or delete user information in the backend database.

Solution Description

Upgrade to version 1.4.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

SquirrelMail contains a flaw that will allow an attacker to inject arbitrary SQL code. The issue is due to the insufficient sanitizing of data in input sent to the "abook_database.php" script. This will allow an attacker to inject or manipulate SQL queries. By sending a specially-crafted URL containing malicious SQL code, a remote attacker could add, modify or delete user information in the backend database.

References:

Vendor URL: http://www.squirrelmail.org/ Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Secunia Advisory ID:11870 Secunia Advisory ID:12289 Secunia Advisory ID:11685 Secunia Advisory ID:11686 Related OSVDB ID: 6337 Other Advisory URL: http://sourceforge.net/mailarchive/forum.php?thread_id=4199060&forum_id=1988 Other Advisory URL: http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000858 Mail List Post: http://marc.theaimsgroup.com/?l=squirrelmail-cvs&m=108309375029888 ISS X-Force ID: 16235 CVE-2004-0521 Bugtraq ID: 10397