Vulnerability Description
load_prefs.php and supporting include files in SquirrelMail 1.0.4 and earlier do not properly initialize certain PHP variables, which allows remote attackers to (1) view sensitive files via the config_php and data_dir options, and (2) execute arbitrary code by using options_order.php to upload a message that could be interpreted as PHP.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Squirrelmail | Squirrelmail | 1.0.4 |
References
- http://archives.neohapsis.com/archives/bugtraq/2001-07/0029.htmlPatchVendor Advisory
- http://www.iss.net/security_center/static/6775.phpPatchVendor Advisory
- http://www.securityfocus.com/bid/2968PatchVendor Advisory
- http://www.squirrelmail.org/changelog.php
- http://archives.neohapsis.com/archives/bugtraq/2001-07/0029.htmlPatchVendor Advisory
- http://www.iss.net/security_center/static/6775.phpPatchVendor Advisory
- http://www.securityfocus.com/bid/2968PatchVendor Advisory
- http://www.squirrelmail.org/changelog.php
FAQ
What is CVE-2001-1159?
CVE-2001-1159 is a vulnerability with a CVSS score of 7.5 (HIGH). load_prefs.php and supporting include files in SquirrelMail 1.0.4 and earlier do not properly initialize certain PHP variables, which allows remote attackers to (1) view sensitive files via the config...
How severe is CVE-2001-1159?
CVE-2001-1159 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2001-1159?
Check the references section above for vendor advisories and patch information. Affected products include: Squirrelmail Squirrelmail.