CVE-2006-2842

Name of the Vulnerable Software and Affected Versions SquirrelMail versions 1.4.6 and earlier

Description The issue allows remote attackers to execute arbitrary PHP code via a URL in the plugins array parameter, under specific conditions where register globals is enabled and magic quotes gpc is disabled. There have been disputes regarding the validity of this issue, with some arguing that SquirrelMail provides sufficient warnings to administrators when register globals is enabled. However, the original developer has posted a security advisory, indicating potential real-world applicability.

Recommendations For SquirrelMail versions 1.4.6 and earlier, consider disabling the register globals setting to prevent exploitation, and ensure magic quotes gpc is enabled to add an extra layer of protection. As a temporary workaround, restrict access to the functions/plugin.php file until a more permanent solution is applied.