Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 201001-08 ] SquirrelMail: Multiple vulnerabilities
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Veteran
Veteran


Joined: 12 May 2004
Posts: 1571

PostPosted: Thu Jan 14, 2010 2:26 am    Post subject: [ GLSA 201001-08 ] SquirrelMail: Multiple vulnerabilities Reply with quote

Gentoo Linux Security Advisory

Title: SquirrelMail: Multiple vulnerabilities (GLSA 201001-08)
Severity: high
Exploitable: remote
Date: January 13, 2010
Bug(s): #269567, #270671
ID: 201001-08

Synopsis


Multiple vulnerabilities were found in SquirrelMail of which the worst
results in remote code execution.


Background


SquirrelMail is a standards-based webmail package written in PHP.


Affected Packages

Package: mail-client/squirrelmail
Vulnerable: < 1.4.19
Unaffected: >= 1.4.19
Architectures: All supported architectures


Description


Multiple vulnerabilities were found in SquirrelMail:
  • Niels
    Teusink reported multiple input sanitation flaws in certain encrypted
    strings in e-mail headers, related to contrib/decrypt_headers.php,
    PHP_SELF and the query string (aka QUERY_STRING) (CVE-2009-1578).
  • Niels Teusink also reported that the map_yp_alias() function
    in functions/imap_general.php does not filter shell metacharacters in a
    username and that the original patch was incomplete (CVE-2009-1381,
    CVE-2009-1579).
  • Tomas Hoger discovered an unspecified session fixation
    vulnerability (CVE-2009-1580).
  • Luc Beurton reported that functions/mime.php does not protect
    the application's content from Cascading Style Sheets (CSS) positioning
    in HTML e-mail messages (CVE-2009-1581).


Impact


The vulnerabilities allow remote attackers to execute arbitrary code
with the privileges of the user running the web server, to hijack web
sessions via a crafted cookie, to spoof the user interface and to
conduct Cross-Site Scripting and phishing attacks, via a specially
crafted message.


Workaround


There is no known workaround at this time.


Resolution


All SquirrelMail users should upgrade to the latest version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose ">=mail-client/squirrelmail-1.4.19"


References

CVE-2009-1381
CVE-2009-1578
CVE-2009-1579
CVE-2009-1580
CVE-2009-1581
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum