Executive Summary
Summary | |
---|---|
Title | squirrelmail security update |
Informations | |||
---|---|---|---|
Name | RHSA-2009:0010 | First vendor Publication | 2009-01-12 |
Vendor | RedHat | Last vendor Modification | 2009-01-12 |
Severity (Vendor) | Moderate | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: An updated squirrelmail package that resolves various security issues is now available for Red Hat Enterprise Linux 3, 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 - noarch Red Hat Desktop version 3 - noarch Red Hat Enterprise Linux ES version 3 - noarch Red Hat Enterprise Linux WS version 3 - noarch Red Hat Enterprise Linux AS version 4 - noarch Red Hat Enterprise Linux Desktop version 4 - noarch Red Hat Enterprise Linux ES version 4 - noarch Red Hat Enterprise Linux WS version 4 - noarch RHEL Desktop Workstation (v. 5 client) - noarch Red Hat Enterprise Linux (v. 5 server) - noarch 3. Description: SquirrelMail is an easy-to-configure, standards-based, webmail package written in PHP. It includes built-in PHP support for the IMAP and SMTP protocols, and pure HTML 4.0 page-rendering (with no JavaScript required) for maximum browser-compatibility, strong MIME support, address books, and folder manipulation. Ivan Markovic discovered a cross-site scripting (XSS) flaw in SquirrelMail caused by insufficient HTML mail sanitization. A remote attacker could send a specially-crafted HTML mail or attachment that could cause a user's Web browser to execute a malicious script in the context of the SquirrelMail session when that email or attachment was opened by the user. (CVE-2008-2379) It was discovered that SquirrelMail allowed cookies over insecure connections (ie did not restrict cookies to HTTPS connections). An attacker who controlled the communication channel between a user and the SquirrelMail server, or who was able to sniff the user's network communication, could use this flaw to obtain the user's session cookie, if a user made an HTTP request to the server. (CVE-2008-3663) Note: After applying this update, all session cookies set for SquirrelMail sessions started over HTTPS connections will have the "secure" flag set. That is, browsers will only send such cookies over an HTTPS connection. If needed, you can revert to the previous behavior by setting the configuration option "$only_secure_cookies" to "false" in SquirrelMail's /etc/squirrelmail/config.php configuration file. Users of squirrelmail should upgrade to this updated package, which contains backported patches to correct these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 464183 - CVE-2008-3663 squirrelmail: session hijacking - secure flag not set for HTTPS-only cookies 473877 - CVE-2008-2379 squirrelmail: XSS issue caused by an insufficient html mail sanitation |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2009-0010.html |
CAPEC : Common Attack Pattern Enumeration & Classification
Id | Name |
---|---|
CAPEC-102 | Session Sidejacking |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-310 | Cryptographic Issues |
50 % | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25) |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:10548 | |||
Oval ID: | oval:org.mitre.oval:def:10548 | ||
Title: | Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. | ||
Description: | Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2008-3663 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:18672 | |||
Oval ID: | oval:org.mitre.oval:def:18672 | ||
Title: | DSA-1682-1 squirrelmail - cross site scripting | ||
Description: | Ivan Markovic discovered that SquirrelMail, a webmail application, did not sufficiently sanitise incoming HTML email, allowing an attacker to perform cross site scripting through sending a malicious HTML email. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1682-1 CVE-2008-2379 | Version: | 5 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | squirrelmail |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:22370 | |||
Oval ID: | oval:org.mitre.oval:def:22370 | ||
Title: | ELSA-2009:0010: squirrelmail security update (Moderate) | ||
Description: | Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2009:0010-01 CVE-2008-2379 CVE-2008-3663 | Version: | 13 |
Platform(s): | Oracle Linux 5 | Product(s): | squirrelmail |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:29372 | |||
Oval ID: | oval:org.mitre.oval:def:29372 | ||
Title: | RHSA-2009:0010 -- squirrelmail security update (Moderate) | ||
Description: | An updated squirrelmail package that resolves various security issues is now available for Red Hat Enterprise Linux 3, 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. SquirrelMail is an easy-to-configure, standards-based, webmail package written in PHP. It includes built-in PHP support for the IMAP and SMTP protocols, and pure HTML 4.0 page-rendering (with no JavaScript required) for maximum browser-compatibility, strong MIME support, address books, and folder manipulation. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2009:0010 CESA-2009:0010-CentOS 3 CESA-2009:0010-CentOS 5 CVE-2008-2379 CVE-2008-3663 | Version: | 3 |
Platform(s): | Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 3 CentOS Linux 5 | Product(s): | squirrelmail |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:8286 | |||
Oval ID: | oval:org.mitre.oval:def:8286 | ||
Title: | DSA-1682 squirrelmail -- insufficient input sanitising | ||
Description: | Ivan Markovic discovered that SquirrelMail, a webmail application, did not sufficiently sanitise incoming HTML email, allowing an attacker to perform cross site scripting through sending a malicious HTML email. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1682 CVE-2008-2379 | Version: | 5 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | squirrelmail |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:9764 | |||
Oval ID: | oval:org.mitre.oval:def:9764 | ||
Title: | Cross-site scripting (XSS) vulnerability in SquirrelMail before 1.4.17 allows remote attackers to inject arbitrary web script or HTML via a crafted hyperlink in an HTML part of an e-mail message. | ||
Description: | Cross-site scripting (XSS) vulnerability in SquirrelMail before 1.4.17 allows remote attackers to inject arbitrary web script or HTML via a crafted hyperlink in an HTML part of an e-mail message. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2008-2379 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2011-08-09 | Name : CentOS Update for squirrelmail CESA-2009:0057 centos5 i386 File : nvt/gb_CESA-2009_0057_squirrelmail_centos5_i386.nasl |
2011-08-09 | Name : CentOS Update for squirrelmail CESA-2009:0057 centos4 i386 File : nvt/gb_CESA-2009_0057_squirrelmail_centos4_i386.nasl |
2011-08-09 | Name : CentOS Update for squirrelmail CESA-2009:0057 centos3 i386 File : nvt/gb_CESA-2009_0057_squirrelmail_centos3_i386.nasl |
2011-08-09 | Name : CentOS Update for squirrelmail CESA-2009:0010 centos5 i386 File : nvt/gb_CESA-2009_0010_squirrelmail_centos5_i386.nasl |
2011-08-09 | Name : CentOS Update for squirrelmail CESA-2009:0010 centos4 i386 File : nvt/gb_CESA-2009_0010_squirrelmail_centos4_i386.nasl |
2011-08-09 | Name : CentOS Update for squirrelmail CESA-2009:0010 centos3 i386 File : nvt/gb_CESA-2009_0010_squirrelmail_centos3_i386.nasl |
2010-05-12 | Name : Mac OS X Security Update 2009-001 File : nvt/macosx_secupd_2009-001.nasl |
2009-09-02 | Name : Fedora Core 10 FEDORA-2009-8797 (squirrelmail) File : nvt/fcore_2009_8797.nasl |
2009-06-05 | Name : Ubuntu USN-723-1 (git-core) File : nvt/ubuntu_723_1.nasl |
2009-06-05 | Name : Fedora Core 9 FEDORA-2009-5471 (squirrelmail) File : nvt/fcore_2009_5471.nasl |
2009-06-05 | Name : Fedora Core 10 FEDORA-2009-5350 (squirrelmail) File : nvt/fcore_2009_5350.nasl |
2009-05-20 | Name : Fedora Core 10 FEDORA-2009-4880 (squirrelmail) File : nvt/fcore_2009_4880.nasl |
2009-05-20 | Name : Fedora Core 9 FEDORA-2009-4870 (squirrelmail) File : nvt/fcore_2009_4870.nasl |
2009-03-02 | Name : Mandrake Security Advisory MDVSA-2009:053 (squirrelmail) File : nvt/mdksa_2009_053.nasl |
2009-02-18 | Name : SuSE Security Summary SUSE-SR:2009:004 File : nvt/suse_sr_2009_004.nasl |
2009-02-17 | Name : Fedora Update for squirrelmail FEDORA-2008-8559 File : nvt/gb_fedora_2008_8559_squirrelmail_fc9.nasl |
2009-02-17 | Name : Fedora Update for squirrelmail FEDORA-2008-9071 File : nvt/gb_fedora_2008_9071_squirrelmail_fc8.nasl |
2009-02-16 | Name : Fedora Update for squirrelmail FEDORA-2008-10740 File : nvt/gb_fedora_2008_10740_squirrelmail_fc9.nasl |
2009-02-16 | Name : Fedora Update for squirrelmail FEDORA-2008-10748 File : nvt/gb_fedora_2008_10748_squirrelmail_fc10.nasl |
2009-02-16 | Name : Fedora Update for squirrelmail FEDORA-2008-10918 File : nvt/gb_fedora_2008_10918_squirrelmail_fc8.nasl |
2009-01-20 | Name : RedHat Security Advisory RHSA-2009:0057 File : nvt/RHSA_2009_0057.nasl |
2009-01-13 | Name : RedHat Security Advisory RHSA-2009:0010 File : nvt/RHSA_2009_0010.nasl |
2009-01-13 | Name : CentOS Security Advisory CESA-2009:0010 (squirrelmail) File : nvt/ovcesa2009_0010.nasl |
2008-12-10 | Name : Debian Security Advisory DSA 1682-1 (squirrelmail) File : nvt/deb_1682_1.nasl |
2008-12-10 | Name : FreeBSD Ports: squirrelmail File : nvt/freebsd_squirrelmail6.nasl |
2008-09-24 | Name : FreeBSD Ports: squirrelmail File : nvt/freebsd_squirrelmail5.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
50460 | SquirrelMail Crafted Email HTML Hyperlink XSS |
49095 | SquirrelMail HTTPS Session Cookie Secure Flag Weakness |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-07-12 | Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2009-0057.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2009-0010.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing a security update. File : sl_20090119_squirrelmail_on_SL3_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing a security update. File : sl_20090112_squirrelmail_on_SL3_x.nasl - Type : ACT_GATHER_INFO |
2009-05-26 | Name : The remote Fedora host is missing a security update. File : fedora_2009-5350.nasl - Type : ACT_GATHER_INFO |
2009-05-26 | Name : The remote Fedora host is missing a security update. File : fedora_2009-5471.nasl - Type : ACT_GATHER_INFO |
2009-05-13 | Name : The remote Fedora host is missing a security update. File : fedora_2009-4870.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Fedora host is missing a security update. File : fedora_2008-10748.nasl - Type : ACT_GATHER_INFO |
2009-02-13 | Name : The remote host is missing a Mac OS X update that fixes various security issues. File : macosx_SecUpd2009-001.nasl - Type : ACT_GATHER_INFO |
2009-02-12 | Name : The remote web server contains a PHP application that handles session cookies... File : squirrelmail_insecure_https_cookie.nasl - Type : ACT_GATHER_INFO |
2009-02-05 | Name : The remote openSUSE host is missing a security update. File : suse_squirrelmail-5978.nasl - Type : ACT_GATHER_INFO |
2009-01-20 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2009-0057.nasl - Type : ACT_GATHER_INFO |
2009-01-20 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2009-0057.nasl - Type : ACT_GATHER_INFO |
2009-01-13 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2009-0010.nasl - Type : ACT_GATHER_INFO |
2009-01-13 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2009-0010.nasl - Type : ACT_GATHER_INFO |
2008-12-16 | Name : The remote openSUSE host is missing a security update. File : suse_squirrelmail-5860.nasl - Type : ACT_GATHER_INFO |
2008-12-11 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1682.nasl - Type : ACT_GATHER_INFO |
2008-12-08 | Name : The remote Fedora host is missing a security update. File : fedora_2008-10918.nasl - Type : ACT_GATHER_INFO |
2008-12-08 | Name : The remote Fedora host is missing a security update. File : fedora_2008-10740.nasl - Type : ACT_GATHER_INFO |
2008-12-05 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_d1ce8a4fc23511dd8cbc00163e000016.nasl - Type : ACT_GATHER_INFO |
2008-12-05 | Name : The remote openSUSE host is missing a security update. File : suse_squirrelmail-5835.nasl - Type : ACT_GATHER_INFO |
2008-11-21 | Name : The remote openSUSE host is missing a security update. File : suse_squirrelmail-5792.nasl - Type : ACT_GATHER_INFO |
2008-11-18 | Name : The remote openSUSE host is missing a security update. File : suse_squirrelmail-5778.nasl - Type : ACT_GATHER_INFO |
2008-10-27 | Name : The remote Fedora host is missing a security update. File : fedora_2008-9071.nasl - Type : ACT_GATHER_INFO |
2008-10-24 | Name : The remote Fedora host is missing a security update. File : fedora_2008-8559.nasl - Type : ACT_GATHER_INFO |
2008-09-24 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_a0afb4b989a111dda65b00163e000016.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:52:10 |
|
2013-05-11 00:50:40 |
|