Security Information and Review

Collection of security information and review

SquirrelMail Cross-Site Request Forgery CSRF Vunerability and Solution

Author : Admin

SquirrelMail is one of the famous webmail package written in pure PHP and support standard e-mail protocol such as IMAP and SMTP protocols. In the SquirrelMain, all pages will render in pure HTML with no JavaScript Script enable required for maximum compatibility in all browsers.


In August 12, 2009, a vulnerability was reported at SquirrelMail which can be exploited by an attacker with Cross Site Request Forgery – CSRF technique. Find more information about this technique at Problem and Solution : Cross Site Request Forgery ( XSRF ).


All form submissions (send message, change preferences, etc.) in SquirrelMail were previously subject to cross-site request forgery (CSRF). The application allows users to perform certain actions via HTTP requests without performing any validation checks to verify the requests. Wherein data could be sent to them from an offsite location, which could allow an attacker to inject malicious content into user preferences or possibly send emails without user consent. This can be exploited to e.g. change user preferences, delete emails, and potentially send emails when a logged-in user visits a malicious web page.


The vulnerabilities are confirmed in version 1.4.17. Other versions may also be affected. For fix this vulnerability, The SquirrelMail Team have release candidate version 1.4.20RC1. The most notable changes for this version are the addition of two security mechanisms that fight cross-site request forgeries (CSRF), the removal of some deprecated PHP functions, some minor fixes in the filters plugin, and increased user privacy.



Mohamad Widodo

Mohamad Widodo

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • Netvouz
  • DZone
  • ThisNext
  • MisterWong
  • Wists
  • Technorati
  • YahooMyWeb
  • Slashdot
  • StumbleUpon
Categories: Web Application Security
If you like this posts, please leave messages / comments.