[VIM] SquirrelMail issue is dynamic variable evaluation

Steven M. Christey coley at mitre.org
Fri Aug 11 16:46:41 EDT 2006


FYI.  The MISC reference below is for the patch, which removes the
following code:

-        foreach ($session_expired_post as $postvar => $val) {
-            if (isset($val)) {
-                $$postvar = $val;
-            } else {
-                $$postvar = '';


So, the $$postvar is obviously dynamic variable evaluation.

SquirrelMail and FrSIRT refer to this as "variable overwrite," and
maybe that's a better term than what I use :)

- Steve


======================================================
Name: CVE-2006-4019
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4019
Reference: CONFIRM:http://www.squirrelmail.org/security/issue/2006-08-11
Reference: MISC:http://www.squirrelmail.org/patches/sqm1.4.7-expired-post-fix-full.patch
Reference: FRSIRT:ADV-2006-3271
Reference: URL:http://www.frsirt.com/english/advisories/2006/3271
Reference: SECUNIA:21354
Reference: URL:http://secunia.com/advisories/21354

Dynamic variable evaluation vulnerability in compose.php in
SquirrelMail 1.4.0 to 1.4.7 allows remote attackers to overwriute
arbitrary program variables and read or write the attachments and
preferences of other users.




More information about the VIM mailing list