Executive Summary
This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
| Informations | |||
|---|---|---|---|
| Name | MDVSA-2009:222 | First vendor Publication | 2009-08-28 |
| Vendor | Mandriva | Last vendor Modification | 2009-08-28 |
| Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 6.8 | Attack Range | Network |
| Cvss Impact Score | 6.4 | Attack Complexity | Medium |
| Cvss Expoit Score | 8.6 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| A vulnerability has been found and corrected in squirrelmail: All form submissions (send message, change preferences, etc.) in SquirrelMail were previously subject to cross-site request forgery (CSRF), wherein data could be sent to them from an offsite location, which could allow an attacker to inject malicious content into user preferences or possibly send emails without user consent (CVE-2009-2964). This update provides a solution to this vulnerability. |
Original Source
| Url : http://www.mandriva.com/security/advisories?name=MDVSA-2009:222 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-352 | Cross-Site Request Forgery (CSRF) (CWE/SANS Top 25) |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:10668 | |||
| Oval ID: | oval:org.mitre.oval:def:10668 | ||
| Title: | Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier, and NaSMail before 1.7, allow remote attackers to hijack the authentication of unspecified victims via features such as send message and change preferences, related to (1) functions/mailbox_display.php, (2) src/addrbook_search_html.php, (3) src/addressbook.php, (4) src/compose.php, (5) src/folders.php, (6) src/folders_create.php, (7) src/folders_delete.php, (8) src/folders_rename_do.php, (9) src/folders_rename_getname.php, (10) src/folders_subscribe.php, (11) src/move_messages.php, (12) src/options.php, (13) src/options_highlight.php, (14) src/options_identities.php, (15) src/options_order.php, (16) src/search.php, and (17) src/vcard.php. | ||
| Description: | Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier, and NaSMail before 1.7, allow remote attackers to hijack the authentication of unspecified victims via features such as send message and change preferences, related to (1) functions/mailbox_display.php, (2) src/addrbook_search_html.php, (3) src/addressbook.php, (4) src/compose.php, (5) src/folders.php, (6) src/folders_create.php, (7) src/folders_delete.php, (8) src/folders_rename_do.php, (9) src/folders_rename_getname.php, (10) src/folders_subscribe.php, (11) src/move_messages.php, (12) src/options.php, (13) src/options_highlight.php, (14) src/options_identities.php, (15) src/options_order.php, (16) src/search.php, and (17) src/vcard.php. | ||
| Family: | unix | Class: | vulnerability |
| Reference(s): | CVE-2009-2964 | Version: | 5 |
| Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
| Definition Synopsis: | |||
| |||
| Definition Id: oval:org.mitre.oval:def:22828 | |||
| Oval ID: | oval:org.mitre.oval:def:22828 | ||
| Title: | ELSA-2009:1490: squirrelmail security update (Moderate) | ||
| Description: | Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier, and NaSMail before 1.7, allow remote attackers to hijack the authentication of unspecified victims via features such as send message and change preferences, related to (1) functions/mailbox_display.php, (2) src/addrbook_search_html.php, (3) src/addressbook.php, (4) src/compose.php, (5) src/folders.php, (6) src/folders_create.php, (7) src/folders_delete.php, (8) src/folders_rename_do.php, (9) src/folders_rename_getname.php, (10) src/folders_subscribe.php, (11) src/move_messages.php, (12) src/options.php, (13) src/options_highlight.php, (14) src/options_identities.php, (15) src/options_order.php, (16) src/search.php, and (17) src/vcard.php. | ||
| Family: | unix | Class: | patch |
| Reference(s): | ELSA-2009:1490-01 CVE-2009-2964 | Version: | 6 |
| Platform(s): | Oracle Linux 5 | Product(s): | squirrelmail |
| Definition Synopsis: | |||
| Definition Id: oval:org.mitre.oval:def:29190 | |||
| Oval ID: | oval:org.mitre.oval:def:29190 | ||
| Title: | RHSA-2009:1490 -- squirrelmail security update (Moderate) | ||
| Description: | An updated squirrelmail package that fixes several security issues is now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. | ||
| Family: | unix | Class: | patch |
| Reference(s): | RHSA-2009:1490 CESA-2009:1490-CentOS 3 CVE-2009-2964 | Version: | 3 |
| Platform(s): | Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 3 | Product(s): | squirrelmail |
| Definition Synopsis: | |||
| |||
CPE : Common Platform Enumeration
OpenVAS Exploits
| Date | Description |
|---|---|
| 2011-08-09 | Name : CentOS Update for squirrelmail CESA-2009:1490 centos3 i386 File : nvt/gb_CESA-2009_1490_squirrelmail_centos3_i386.nasl |
| 2011-08-09 | Name : CentOS Update for squirrelmail CESA-2009:1490 centos4 i386 File : nvt/gb_CESA-2009_1490_squirrelmail_centos4_i386.nasl |
| 2010-08-21 | Name : Debian Security Advisory DSA 2091-1 (squirrelmail) File : nvt/deb_2091_1.nasl |
| 2009-10-13 | Name : RedHat Security Advisory RHSA-2009:1490 File : nvt/RHSA_2009_1490.nasl |
| 2009-10-13 | Name : CentOS Security Advisory CESA-2009:1490 (squirrelmail) File : nvt/ovcesa2009_1490.nasl |
| 2009-09-02 | Name : Fedora Core 11 FEDORA-2009-8822 (squirrelmail) File : nvt/fcore_2009_8822.nasl |
| 2009-09-02 | Name : Mandrake Security Advisory MDVSA-2009:222 (squirrelmail) File : nvt/mdksa_2009_222.nasl |
| 2009-08-28 | Name : SquirrelMail Multiple Cross-Site Request Forgery Vulnerabilities File : nvt/secpod_squirrelmail_csrf_vuln.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 57001 | SquirrelMail Multiple Form Pages CSRF |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2013-07-12 | Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2009-1490.nasl - Type : ACT_GATHER_INFO |
| 2012-08-01 | Name : The remote Scientific Linux host is missing a security update. File : sl_20091008_squirrelmail_on_SL3_x.nasl - Type : ACT_GATHER_INFO |
| 2010-08-17 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2091.nasl - Type : ACT_GATHER_INFO |
| 2010-06-15 | Name : The remote host is missing a Mac OS X update that fixes various security issues. File : macosx_10_6_4.nasl - Type : ACT_GATHER_INFO |
| 2010-06-15 | Name : The remote host is missing a Mac OS X update that fixes a security issue. File : macosx_SecUpd2010-004.nasl - Type : ACT_GATHER_INFO |
| 2009-10-09 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2009-1490.nasl - Type : ACT_GATHER_INFO |
| 2009-10-09 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2009-1490.nasl - Type : ACT_GATHER_INFO |
| 2009-08-24 | Name : The remote Fedora host is missing a security update. File : fedora_2009-8797.nasl - Type : ACT_GATHER_INFO |
| 2009-08-24 | Name : The remote Fedora host is missing a security update. File : fedora_2009-8822.nasl - Type : ACT_GATHER_INFO |
