| View previous topic :: View next topic |
| Author |
Message |
GLSA
Bodhisattva
Joined: 25 Feb 2003
Posts: 3826
Location: Essen, Germany
|
 Posted: Fri May 21, 2004 6:29 pm Post subject: [ GLSA 200405-16 ] Multiple XSS Vulnerabilities in SquirrelM |
 |
|
Gentoo Linux Security Advisory
Title: Multiple XSS Vulnerabilities in SquirrelMail (GLSA 200405-16)
Severity: normal
Exploitable: remote
Date: May 25, 2004
Updated: May 27, 2006
Bug(s): #49675
ID: 200405-16
Synopsis
SquirrelMail is subject to several XSS and one SQL injection vulnerability.
Background
SquirrelMail is a webmail package written in PHP. It supports IMAP and SMTP, and can optionally be installed with SQL support.
Affected Packages
Package: mail-client/squirrelmail
Vulnerable: < 1.4.3_rc1
Unaffected: >= 1.4.3_rc1
Architectures: All supported architectures
Description
Several unspecified cross-site scripting (XSS) vulnerabilities and a well hidden SQL injection vulnerability were found. An XSS attack allows an attacker to insert malicious code into a web-based application. SquirrelMail does not check for code when parsing variables received via the URL query string.
Impact
One of the XSS vulnerabilities could be exploited by an attacker to steal cookie-based authentication credentials from the user's browser. The SQL injection issue could potentially be used by an attacker to run arbitrary SQL commands inside the SquirrelMail database with privileges of the SquirrelMail database user.
Workaround
There is no known workaround at this time. All users are advised to upgrade to version 1.4.3_rc1 or higher of SquirrelMail.
Resolution
All SquirrelMail users should upgrade to the latest stable version: | Code: | # emerge sync
# emerge -pv ">=mail-client/squirrelmail-1.4.3_rc1"
# emerge ">=mail-client/squirrelmail-1.4.3_rc1" |
References
SquirrelMail 1.4.3_rc1 release annoucement
Bugtraq security annoucement
CERT description of XSS
CVE-2004-0519
CVE-2004-0521
Last edited by GLSA on Sat May 24, 2008 4:16 am; edited 5 times in total |
|
| Back to top |
|
 |
Deathwing00
Moderator
Joined: 13 Jun 2003
Posts: 4074
Location: Barcelona, Spain
|
| Posted: Tue May 25, 2004 6:44 pm Post subject: ERRATA: [ GLSA 200405-16 ] Multiple XSS Vuln in SquirrelMail |
|
|
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory [ERRATA UPDATE] GLSA 200405-16:02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Multiple XSS Vulnerabilities in SquirrelMail
Date: May 25, 2004
Bugs: #49675
ID: 200405-16:02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Errata
======
The original version of this Security Advisory listed the vulnerable
versions incorrectly. Whereas the original GLSA listed vulnerable versions
as "<= 1.4.2" it should have in fact been listed as "< 1.4.3_rc1". The
corrected "Affected Packages" section appears below.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-mail/squirrelmail < 1.4.3_rc1 >= 1.4.3_rc1
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200405-16.xml
License
=======
Copyright 2004 Gentoo Technologies, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/1.0 |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
News & Announcements
