[原文]load_prefs.php and supporting include files in SquirrelMail 1.0.4 and earlier do not properly initialize certain PHP variables, which allows remote attackers to (1) view sensitive files via the config_php and data_dir options, and (2) execute arbitrary code by using options_order.php to upload a message that could be interpreted as PHP.
SquirrelMail is a freely available webmail package written in PHP.
An input validation error exists in SquirrelMail that could enable remote users to execute arbitrary commands on a host running the package.
The problem occurs when certain query values are submitted that cause the authentication mechanisms used by the script to be bypassed, enabling remote users to inject malicious PHP code into user preference files. The code contained in the preference file is executed when a script loads the file.
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: firstname.lastname@example.org <mailto:email@example.com>.
This issue is resolved in versions 1.0.6 and higher of SquirrelMail: