Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 200408-02 ] Courier: Cross-site scripting vulnerability in SqWebMail
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Moderator
Moderator


Joined: 13 Jun 2003
Posts: 4079
Location: Dresden, Germany

PostPosted: Wed Aug 04, 2004 3:52 pm    Post subject: [ GLSA 200408-02 ] Courier: Cross-site scripting vulnerabili Reply with quote

Gentoo Linux Security Advisory

Title: Courier: Cross-site scripting vulnerability in SqWebMail (GLSA 200408-02)
Severity: normal
Exploitable: remote
Date: August 04, 2004
Bug(s): #58020
ID: 200408-02

Synopsis

The SqWebMail web application, included in the Courier suite, is vulnerable to cross-site scripting attacks.

Background

Courier is an integrated mail and groupware server based on open protocols. It provides ESMTP, IMAP, POP3, webmail, and mailing list services within a single framework. The webmail functionality included in Courier called SqWebMail allows you to access mailboxes from a web browser.

Affected Packages

Package: mail-mta/courier
Vulnerable: <= 0.45.6
Unaffected: >= 0.45.6.20040618
Architectures: All supported architectures


Description

Luca Legato found that SqWebMail is vulnerable to a cross-site scripting (XSS) attack. An XSS attack allows an attacker to insert malicious code into a web-based application. SqWebMail doesn't filter appropriately data coming from message headers before displaying them.

Impact

By sending a carefully crafted message, an attacker can inject and execute script code in the victim's browser window. This allows to modify the behaviour of the SqWebMail application, and/or leak session information such as cookies to the attacker.

Workaround

There is no known workaround at this time. All users are encouraged to upgrade to the latest available version of Courier.

Resolution

All Courier users should upgrade to the latest version:
Code:
# emerge sync
# emerge -pv ">=mail-mta/courier-0.45.6.20040618"
# emerge ">=mail-mta/courier-0.45.6.20040618"


References

CAN-2004-0591
XSS definition


Last edited by GLSA on Sun May 07, 2006 4:52 pm; edited 1 time in total
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum