Executive Summary
Informations | |||
---|---|---|---|
Name | MDVSA-2010:120 | First vendor Publication | 2010-06-21 |
Vendor | Mandriva | Last vendor Modification | 2010-06-21 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:S/C:P/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 4 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 8 | Authentication | Requires single instance |
Calculate full CVSS 2.0 Vectors scores |
Detail
A vulnerability was reported in the SquirrelMail Mail Fetch plugin, wherein (when the plugin is activated by the administrator) a user is allowed to specify (without restriction) any port number for their external POP account settings. While the intention is to allow users to access POP3 servers using non-standard ports, this also allows malicious users to effectively port-scan any server through their SquirrelMail service (especially note that when a SquirrelMail server resides on a network behind a firewall, it may allow the user to explore the network topography (DNS scan) and services available (port scan) on the inside of (behind) that firewall). As this vulnerability is only exploitable post-authentication, and better more specific port scanning tools are freely available, we consider this vulnerability to be of very low severity. It has been fixed by restricting the allowable POP port numbers (with an administrator configuration override available) (CVE-2010-1637). The updated packages have been patched to correct this issue. |
Original Source
Url : http://www.mandriva.com/security/advisories?name=MDVSA-2010:120 |
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-07-30 | Name : CentOS Update for squirrelmail CESA-2012:0103 centos4 File : nvt/gb_CESA-2012_0103_squirrelmail_centos4.nasl |
2012-07-30 | Name : CentOS Update for squirrelmail CESA-2012:0103 centos5 File : nvt/gb_CESA-2012_0103_squirrelmail_centos5.nasl |
2012-02-13 | Name : RedHat Update for squirrelmail RHSA-2012:0103-01 File : nvt/gb_RHSA-2012_0103-01_squirrelmail.nasl |
2012-02-06 | Name : Mac OS X Multiple Vulnerabilities (2012-001) File : nvt/gb_macosx_su12-001.nasl |
2010-08-13 | Name : Fedora Update for squirrelmail FEDORA-2010-11410 File : nvt/gb_fedora_2010_11410_squirrelmail_fc12.nasl |
2010-08-13 | Name : Fedora Update for squirrelmail FEDORA-2010-11422 File : nvt/gb_fedora_2010_11422_squirrelmail_fc13.nasl |
2010-06-25 | Name : Fedora Update for squirrelmail FEDORA-2010-10244 File : nvt/gb_fedora_2010_10244_squirrelmail_fc12.nasl |
2010-06-25 | Name : Fedora Update for squirrelmail FEDORA-2010-10259 File : nvt/gb_fedora_2010_10259_squirrelmail_fc13.nasl |
2010-06-25 | Name : Fedora Update for squirrelmail FEDORA-2010-10264 File : nvt/gb_fedora_2010_10264_squirrelmail_fc11.nasl |
2010-06-25 | Name : Mandriva Update for squirrelmail MDVSA-2010:120 (squirrelmail) File : nvt/gb_mandriva_MDVSA_2010_120.nasl |
2010-06-22 | Name : SquirrelMail 'mail_fetch' Remote Information Disclosure Vulnerability File : nvt/gb_SquirrelMail_40291.nasl |
2010-04-19 | Name : Mandriva Update for openoffice.org-voikko MDVA-2010:120 (openoffice.org-voikko) File : nvt/gb_mandriva_MDVA_2010_120.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
65696 | SquirrelMail Mail Fetch Plugin Modified POP3 Port Number Access Restriction B... |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-07-12 | Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2012-0103.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing a security update. File : sl_20120208_squirrelmail_on_SL4_x.nasl - Type : ACT_GATHER_INFO |
2012-02-09 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2012-0103.nasl - Type : ACT_GATHER_INFO |
2012-02-09 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2012-0103.nasl - Type : ACT_GATHER_INFO |
2012-02-02 | Name : The remote host is missing a Mac OS X update that fixes multiple security vul... File : macosx_SecUpd2012-001.nasl - Type : ACT_GATHER_INFO |
2010-07-01 | Name : The remote Fedora host is missing a security update. File : fedora_2010-10244.nasl - Type : ACT_GATHER_INFO |
2010-07-01 | Name : The remote Fedora host is missing a security update. File : fedora_2010-10259.nasl - Type : ACT_GATHER_INFO |
2010-07-01 | Name : The remote Fedora host is missing a security update. File : fedora_2010-10264.nasl - Type : ACT_GATHER_INFO |