Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane

From: Steve Brown <sbrown25 <at> gmail.com>
Subject: Re: SECURITY: 1.4.12 Package Compromise ISSUE=9272, PROJ=30
Newsgroups: gmane.mail.squirrelmail.user
Date: Friday 14th December 2007 18:04:01 UTC (over 11 years ago)
> > Modifications seemed to be
> > based around a PHP global variable which we cannot track down.
>
> Actually I don't understand what this means...  What do you mean "cannot
track down"?

It means that we couldn't find any reference to it in a doc or
anywhere else online.  However, we have since become aware of how this
variable might be created.

> What diff do you see between the compromised version and
> the one that is there now? I see only a comment diff in one file.

it was a small block of code that checks for a $_SERVER var.  If that
var was present, it would redefine SM_PATH.  Under normal
circumstances, this would never be executed, but we have since learned
how to make it execute.

Please upgrade to 1.4.13. :-)

-------------------------------------------------------------------------
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services
for just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [email protected]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
 
CD: 15ms