CVE-2010-1637 Mail fetch plugin can be used as proxy for port scan
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
squirrelmail (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Hardy |
Fix Released
|
Low
|
Unassigned | ||
Jaunty |
Fix Released
|
Low
|
Unassigned | ||
Karmic |
Fix Released
|
Low
|
Unassigned | ||
Lucid |
Fix Released
|
Low
|
Unassigned | ||
Maverick |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: squirrelmail
Description from http://
A vulnerability was reported in the SquirrelMail Mail Fetch plugin, wherein (when the plugin is activated by the administrator) a user is allowed to specify (without restriction) any port number for their external POP account settings. While the intention is to allow users to access POP3 servers using non-standard ports, this also allows malicious users to effectively port-scan any server through their SquirrelMail service (especially note that when a SquirrelMail server resides on a network behind a firewall, it may allow the user to explore the network topography (DNS scan) and services available (port scan) on the inside of (behind) that firewall). As this vulnerability is only exploitable post-authentica
visibility: | private → public |
Changed in squirrelmail (Ubuntu): | |
status: | New → In Progress |
Changed in squirrelmail (Ubuntu Lucid): | |
status: | New → In Progress |
Changed in squirrelmail (Ubuntu Jaunty): | |
status: | New → In Progress |
Changed in squirrelmail (Ubuntu Hardy): | |
status: | New → In Progress |
Changed in squirrelmail (Ubuntu Karmic): | |
status: | New → In Progress |
This bug was fixed in the package squirrelmail - 2:1.4.20-1ubuntu1
---------------
squirrelmail (2:1.4.20-1ubuntu1) maverick; urgency=low
* SECURITY UPDATE: (LP: #598077) squirrelmail. org/security/ issue/2010- 06-21
* The Mail Fetch plugin allows remote authenticated users to bypass firewall
restrictions and use SquirrelMail as a proxy to scan internal networks via
a modified POP3 port number.
- http://
- CVE-2010-1637
- Patch taken from upstream svn rev. 13951. Applied inline.
-- Andreas Wenning <email address hidden> Thu, 24 Jun 2010 14:19:29 +0200