View previous topic :: View next topic |
Author |
Message |
GLSA Bodhisattva
Joined: 25 Feb 2003 Posts: 3829 Location: Essen, Germany
|
Posted: Fri May 21, 2004 6:29 pm Post subject: [ GLSA 200405-16 ] Multiple XSS Vulnerabilities in SquirrelM |
|
|
Gentoo Linux Security Advisory
Title: Multiple XSS Vulnerabilities in SquirrelMail (GLSA 200405-16)
Severity: normal
Exploitable: remote
Date: May 25, 2004
Updated: May 27, 2006
Bug(s): #49675
ID: 200405-16
Synopsis
SquirrelMail is subject to several XSS and one SQL injection vulnerability.
Background
SquirrelMail is a webmail package written in PHP. It supports IMAP and
SMTP, and can optionally be installed with SQL support.
Affected Packages
Package: mail-client/squirrelmail
Vulnerable: < 1.4.3_rc1
Unaffected: >= 1.4.3_rc1
Architectures: All supported architectures
Description
Several unspecified cross-site scripting (XSS) vulnerabilities and a
well hidden SQL injection vulnerability were found. An XSS attack
allows an attacker to insert malicious code into a web-based
application. SquirrelMail does not check for code when parsing
variables received via the URL query string.
Impact
One of the XSS vulnerabilities could be exploited by an attacker to
steal cookie-based authentication credentials from the user's browser.
The SQL injection issue could potentially be used by an attacker to run
arbitrary SQL commands inside the SquirrelMail database with privileges
of the SquirrelMail database user.
Workaround
There is no known workaround at this time. All users are advised to
upgrade to version 1.4.3_rc1 or higher of SquirrelMail.
Resolution
All SquirrelMail users should upgrade to the latest stable version:
Code: | # emerge sync
# emerge -pv ">=mail-client/squirrelmail-1.4.3_rc1"
# emerge ">=mail-client/squirrelmail-1.4.3_rc1" |
References
SquirrelMail 1.4.3_rc1 release annoucement
Bugtraq security annoucement
CERT description of XSS
CVE-2004-0519
CVE-2004-0521
Last edited by GLSA on Tue Feb 10, 2015 4:16 am; edited 7 times in total |
|
Back to top |
|
|
Deathwing00 Bodhisattva
Joined: 13 Jun 2003 Posts: 4087 Location: Dresden, Germany
|
Posted: Tue May 25, 2004 6:44 pm Post subject: ERRATA: [ GLSA 200405-16 ] Multiple XSS Vuln in SquirrelMail |
|
|
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory [ERRATA UPDATE] GLSA 200405-16:02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Multiple XSS Vulnerabilities in SquirrelMail
Date: May 25, 2004
Bugs: #49675
ID: 200405-16:02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Errata
======
The original version of this Security Advisory listed the vulnerable
versions incorrectly. Whereas the original GLSA listed vulnerable versions
as "<= 1.4.2" it should have in fact been listed as "< 1.4.3_rc1". The
corrected "Affected Packages" section appears below.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-mail/squirrelmail < 1.4.3_rc1 >= 1.4.3_rc1
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200405-16.xml
License
=======
Copyright 2004 Gentoo Technologies, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/1.0 |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|