Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 200405-16 ] Multiple XSS Vulnerabilities in SquirrelMail
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Bodhisattva
Bodhisattva


Joined: 25 Feb 2003
Posts: 3827
Location: Essen, Germany

PostPosted: Fri May 21, 2004 6:29 pm    Post subject: [ GLSA 200405-16 ] Multiple XSS Vulnerabilities in SquirrelM Reply with quote

Gentoo Linux Security Advisory

Title: Multiple XSS Vulnerabilities in SquirrelMail (GLSA 200405-16)
Severity: normal
Exploitable: remote
Date: May 25, 2004
Updated: May 27, 2006
Bug(s): #49675
ID: 200405-16

Synopsis

SquirrelMail is subject to several XSS and one SQL injection vulnerability.

Background

SquirrelMail is a webmail package written in PHP. It supports IMAP and SMTP, and can optionally be installed with SQL support.

Affected Packages

Package: mail-client/squirrelmail
Vulnerable: < 1.4.3_rc1
Unaffected: >= 1.4.3_rc1
Architectures: All supported architectures


Description

Several unspecified cross-site scripting (XSS) vulnerabilities and a well hidden SQL injection vulnerability were found. An XSS attack allows an attacker to insert malicious code into a web-based application. SquirrelMail does not check for code when parsing variables received via the URL query string.

Impact

One of the XSS vulnerabilities could be exploited by an attacker to steal cookie-based authentication credentials from the user's browser. The SQL injection issue could potentially be used by an attacker to run arbitrary SQL commands inside the SquirrelMail database with privileges of the SquirrelMail database user.

Workaround

There is no known workaround at this time. All users are advised to upgrade to version 1.4.3_rc1 or higher of SquirrelMail.

Resolution

All SquirrelMail users should upgrade to the latest stable version:
Code:
# emerge sync
# emerge -pv ">=mail-client/squirrelmail-1.4.3_rc1"
# emerge ">=mail-client/squirrelmail-1.4.3_rc1"


References

SquirrelMail 1.4.3_rc1 release annoucement
Bugtraq security annoucement
CERT description of XSS
CVE-2004-0519
CVE-2004-0521


Last edited by GLSA on Sat May 24, 2008 4:16 am; edited 5 times in total
Back to top
View user's profile Send private message
Deathwing00
Moderator
Moderator


Joined: 13 Jun 2003
Posts: 4078
Location: Barcelona, Spain

PostPosted: Tue May 25, 2004 6:44 pm    Post subject: ERRATA: [ GLSA 200405-16 ] Multiple XSS Vuln in SquirrelMail Reply with quote

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory [ERRATA UPDATE] GLSA 200405-16:02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Multiple XSS Vulnerabilities in SquirrelMail
Date: May 25, 2004
Bugs: #49675
ID: 200405-16:02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Errata
======
The original version of this Security Advisory listed the vulnerable
versions incorrectly. Whereas the original GLSA listed vulnerable versions
as "<= 1.4.2" it should have in fact been listed as "< 1.4.3_rc1". The
corrected "Affected Packages" section appears below.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-mail/squirrelmail < 1.4.3_rc1 >= 1.4.3_rc1

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200405-16.xml

License
=======

Copyright 2004 Gentoo Technologies, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum