Executive Summary
Summary | |
---|---|
Title | New squirrelmail packages fix cross-site request forgery |
Informations | |||
---|---|---|---|
Name | DSA-2091 | First vendor Publication | 2010-08-12 |
Vendor | Debian | Last vendor Modification | 2010-08-12 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 6.8 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
SquirrelMail, a webmail application, does not employ a user-specific token for webforms. This allows a remote attacker to perform a Cross Site Request Forgery (CSRF) attack. The attacker may hijack the authentication of unspecified victims and send messages or change user preferences among other actions, by tricking the victim into following a link controled by the offender. In addition, a denial-of-service was fixed, which could be triggered when a passwords containing 8-bit characters was used to log in (CVE-2010-2813). For the stable distribution (lenny), these problems have been fixed in version 1.4.15-4+lenny3.1. For the testing distribution (squeeze) and the unstable distribution (sid), these problems have been fixed in version 1.4.21-1. We recommend that you upgrade your squirrelmail packages. |
Original Source
Url : http://www.debian.org/security/2010/dsa-2091 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-399 | Resource Management Errors |
50 % | CWE-352 | Cross-Site Request Forgery (CSRF) (CWE/SANS Top 25) |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:10668 | |||
Oval ID: | oval:org.mitre.oval:def:10668 | ||
Title: | Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier, and NaSMail before 1.7, allow remote attackers to hijack the authentication of unspecified victims via features such as send message and change preferences, related to (1) functions/mailbox_display.php, (2) src/addrbook_search_html.php, (3) src/addressbook.php, (4) src/compose.php, (5) src/folders.php, (6) src/folders_create.php, (7) src/folders_delete.php, (8) src/folders_rename_do.php, (9) src/folders_rename_getname.php, (10) src/folders_subscribe.php, (11) src/move_messages.php, (12) src/options.php, (13) src/options_highlight.php, (14) src/options_identities.php, (15) src/options_order.php, (16) src/search.php, and (17) src/vcard.php. | ||
Description: | Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier, and NaSMail before 1.7, allow remote attackers to hijack the authentication of unspecified victims via features such as send message and change preferences, related to (1) functions/mailbox_display.php, (2) src/addrbook_search_html.php, (3) src/addressbook.php, (4) src/compose.php, (5) src/folders.php, (6) src/folders_create.php, (7) src/folders_delete.php, (8) src/folders_rename_do.php, (9) src/folders_rename_getname.php, (10) src/folders_subscribe.php, (11) src/move_messages.php, (12) src/options.php, (13) src/options_highlight.php, (14) src/options_identities.php, (15) src/options_order.php, (16) src/search.php, and (17) src/vcard.php. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2009-2964 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:12149 | |||
Oval ID: | oval:org.mitre.oval:def:12149 | ||
Title: | DSA-2091-1 squirrelmail -- No user-specific token implemented | ||
Description: | SquirrelMail, a webmail application, does not employ a user-specific token for webforms. This allows a remote attacker to perform a Cross Site Request Forgery attack. The attacker may hijack the authentication of unspecified victims and send messages or change user preferences among other actions, by tricking the victim into following a link controled by the offender. In addition, a denial-of-service was fixed, which could be triggered when a passwords containing 8-bit characters was used to log in. For the stable distribution, these problems have been fixed in version 2:1.4.15-4+lenny3.1. For the testing distribution and the unstable distribution, these problems have been fixed in version 1.4.21-1. We recommend that you upgrade your squirrelmail packages. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2091-1 CVE-2009-2964 CVE-2010-2813 | Version: | 7 |
Platform(s): | Debian GNU/Linux 5.0 | Product(s): | squirrelmail |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:22828 | |||
Oval ID: | oval:org.mitre.oval:def:22828 | ||
Title: | ELSA-2009:1490: squirrelmail security update (Moderate) | ||
Description: | Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier, and NaSMail before 1.7, allow remote attackers to hijack the authentication of unspecified victims via features such as send message and change preferences, related to (1) functions/mailbox_display.php, (2) src/addrbook_search_html.php, (3) src/addressbook.php, (4) src/compose.php, (5) src/folders.php, (6) src/folders_create.php, (7) src/folders_delete.php, (8) src/folders_rename_do.php, (9) src/folders_rename_getname.php, (10) src/folders_subscribe.php, (11) src/move_messages.php, (12) src/options.php, (13) src/options_highlight.php, (14) src/options_identities.php, (15) src/options_order.php, (16) src/search.php, and (17) src/vcard.php. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2009:1490-01 CVE-2009-2964 | Version: | 6 |
Platform(s): | Oracle Linux 5 | Product(s): | squirrelmail |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:29190 | |||
Oval ID: | oval:org.mitre.oval:def:29190 | ||
Title: | RHSA-2009:1490 -- squirrelmail security update (Moderate) | ||
Description: | An updated squirrelmail package that fixes several security issues is now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2009:1490 CESA-2009:1490-CentOS 3 CVE-2009-2964 | Version: | 3 |
Platform(s): | Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 3 | Product(s): | squirrelmail |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-07-30 | Name : CentOS Update for squirrelmail CESA-2012:0103 centos4 File : nvt/gb_CESA-2012_0103_squirrelmail_centos4.nasl |
2012-07-30 | Name : CentOS Update for squirrelmail CESA-2012:0103 centos5 File : nvt/gb_CESA-2012_0103_squirrelmail_centos5.nasl |
2012-02-13 | Name : RedHat Update for squirrelmail RHSA-2012:0103-01 File : nvt/gb_RHSA-2012_0103-01_squirrelmail.nasl |
2012-02-06 | Name : Mac OS X Multiple Vulnerabilities (2012-001) File : nvt/gb_macosx_su12-001.nasl |
2011-08-09 | Name : CentOS Update for squirrelmail CESA-2009:1490 centos3 i386 File : nvt/gb_CESA-2009_1490_squirrelmail_centos3_i386.nasl |
2011-08-09 | Name : CentOS Update for squirrelmail CESA-2009:1490 centos4 i386 File : nvt/gb_CESA-2009_1490_squirrelmail_centos4_i386.nasl |
2010-08-30 | Name : Mandriva Update for squirrelmail MDVSA-2010:158 (squirrelmail) File : nvt/gb_mandriva_MDVSA_2010_158.nasl |
2010-08-21 | Name : Debian Security Advisory DSA 2091-1 (squirrelmail) File : nvt/deb_2091_1.nasl |
2010-08-13 | Name : SquirrelMail Remote Denial of Service Vulnerability File : nvt/gb_SquirrelMail_42399.nasl |
2010-08-13 | Name : Fedora Update for squirrelmail FEDORA-2010-11410 File : nvt/gb_fedora_2010_11410_squirrelmail_fc12.nasl |
2010-08-13 | Name : Fedora Update for squirrelmail FEDORA-2010-11422 File : nvt/gb_fedora_2010_11422_squirrelmail_fc13.nasl |
2009-10-13 | Name : RedHat Security Advisory RHSA-2009:1490 File : nvt/RHSA_2009_1490.nasl |
2009-10-13 | Name : CentOS Security Advisory CESA-2009:1490 (squirrelmail) File : nvt/ovcesa2009_1490.nasl |
2009-09-02 | Name : Fedora Core 11 FEDORA-2009-8822 (squirrelmail) File : nvt/fcore_2009_8822.nasl |
2009-09-02 | Name : Mandrake Security Advisory MDVSA-2009:222 (squirrelmail) File : nvt/mdksa_2009_222.nasl |
2009-08-28 | Name : SquirrelMail Multiple Cross-Site Request Forgery Vulnerabilities File : nvt/secpod_squirrelmail_csrf_vuln.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
67245 | Squirrelmail Login Page functions/imap_general.php 8-bit Character Password D... |
57001 | SquirrelMail Multiple Form Pages CSRF |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-07-12 | Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2013-0126.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2012-0103.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2009-1490.nasl - Type : ACT_GATHER_INFO |
2013-01-17 | Name : The remote Scientific Linux host is missing a security update. File : sl_20130108_squirrelmail_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2013-01-17 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2013-0126.nasl - Type : ACT_GATHER_INFO |
2013-01-08 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2013-0126.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing a security update. File : sl_20120208_squirrelmail_on_SL4_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing a security update. File : sl_20091008_squirrelmail_on_SL3_x.nasl - Type : ACT_GATHER_INFO |
2012-02-09 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2012-0103.nasl - Type : ACT_GATHER_INFO |
2012-02-09 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2012-0103.nasl - Type : ACT_GATHER_INFO |
2012-02-02 | Name : The remote host is missing a Mac OS X update that fixes multiple security vul... File : macosx_SecUpd2012-001.nasl - Type : ACT_GATHER_INFO |
2010-08-17 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2091.nasl - Type : ACT_GATHER_INFO |
2010-08-12 | Name : The remote Fedora host is missing a security update. File : fedora_2010-11422.nasl - Type : ACT_GATHER_INFO |
2010-08-12 | Name : The remote Fedora host is missing a security update. File : fedora_2010-11410.nasl - Type : ACT_GATHER_INFO |
2010-06-15 | Name : The remote host is missing a Mac OS X update that fixes a security issue. File : macosx_SecUpd2010-004.nasl - Type : ACT_GATHER_INFO |
2010-06-15 | Name : The remote host is missing a Mac OS X update that fixes various security issues. File : macosx_10_6_4.nasl - Type : ACT_GATHER_INFO |
2009-10-09 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2009-1490.nasl - Type : ACT_GATHER_INFO |
2009-10-09 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2009-1490.nasl - Type : ACT_GATHER_INFO |
2009-08-24 | Name : The remote Fedora host is missing a security update. File : fedora_2009-8822.nasl - Type : ACT_GATHER_INFO |
2009-08-24 | Name : The remote Fedora host is missing a security update. File : fedora_2009-8797.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:29:36 |
|