Wich is the best upgrade method for upgrate squirrelmail webmail for this security problem?

SquirrelMail Email Header HTML Injection Vulnerability
BugTraq ID: 10439
Remote: Yes
Date Published: May 31 2004
Relevant URL: http://www.securityfocus.com/bid/10439
Summary:
SquirrelMail is reported to be prone to an email header HTML injection vulnerability. This issue is due to a failure of the application to properly sanitize user-supplied email header strings.

An attacker can exploit this issue to gain access to an unsuspecting user's cookie based authentication credentials; disclosure of personal email is possible. Other attacks are also possible.
-------------
My actual version is: 1.4.2
the last version is: 1.4.3a

tks

Hello,

If DirectAdmin's current version of squirrelmail.sh is installing 1.4.3a and there's a way to update the scripts in /usr/local/directadmin/scripts/, you could rm -fr /var/www/html/squirrelmail-1.4.2 and run /usr/local/directadmin/scripts/squirrelmail.sh. :)

I'm only not sure how to pull the lastest squirrelmail.sh into /usr/local/directadmin/scripts/.

Phi1.

here is what i did. ***i take no responsibility to what may happen with this! use at your own risk***

1. cd /usr/local/directadmin/scripts/packages/

download the new squirrel mail

2. wget http://belnet.dl.sourceforge.net/sourceforge/squirrelmail/squirrelmail-1.4.3a.tar.gz

change the owner and permissions of the file

3. chown diradmin.diradmin squirrelmail-1.4.3a.tar.gz; chmod 700 squirrelmail-1.4.3a.tar.gz

edit the squirrelmail.sh file

4. pico /usr/local/directadmin/scripts/squirrelmail.sh

change the version number, find the VERSION=1.4.2 line

change to

5. VERSION=1.4.3a

then simply change to the directory

6. cd /usr/local/directadmin/scripts/

and run the script

7. ./squirrelmail.sh

then we need to grab the old data and config directories

8. cd cd /var/www/html/squirrelmail-1.4.2; cp -R data/ ../squirrelmail-1.4.3a/; cp -R config ../squirrelmail-1.4.3a/

9. chown -R apache.apache /var/www/html/squirelmail-1.4.3a/ (as per icheb suggestion)

say yes to overwriting everything.

all done, and it appears to work just fine.

good luck!

but remember move the data directory (users pref) and config dir.

TKS
Dario

thanks IPAddress i updated my tutorial with your suggestions.

It worked. But i needed to chmod apache:apache -R on the data dir before it really worked. So perhaps you should also add this :D

done and done, althought i never had to do this :D

Thanks for the great how-to.
I too had to chown the data directory to apache:apache.

But I guess point 9) should be changed to:
chown apache:apache /var/www/html/squirelmail-1.4.3a/data -R