LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

squirrelmail: denial of service

Package(s):squirrelmail CVE #(s):CVE-2010-2813
Created:August 12, 2010 Updated:January 14, 2013
Description:

From the SquirrelMail advisory:

A bug has been identified in SquirrelMail that poses a denial of service risk. The problem exists in SquirrelMail versions up through 1.4.20 wherein an attacker can submit random login attempts with 8-bit characters in the password. This will cause SquirrelMail to temporarily accept the login (further actions will all fail; user is never *actually* logged in) and create a preferences file (if one does not already exist) for the given username. An attacker could continue to use random usernames with the same password until enough preference files are created that the server runs out of hard disk space. We consider this a relatively low-risk problem, but it nevertheless has been fixed in SquirrelMail version 1.4.21.

Alerts:
Mandriva MDVSA-2010:158 2010-08-23
Debian DSA-2091-1 2010-08-12
Fedora FEDORA-2010-11422 2010-07-27
Fedora FEDORA-2010-11410 2010-07-27
Red Hat RHSA-2012:0103-01 2012-02-08
CentOS CESA-2012:0103 2012-02-08
CentOS CESA-2012:0103 2012-02-08
Oracle ELSA-2012-0103 2012-02-09
Oracle ELSA-2012-0103 2012-02-09
Scientific Linux SL-squi-20120208 2012-02-08
Oracle ELSA-2013-0126 2013-01-12
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds