Executive Summary
Summary | |
---|---|
Title | squirrelmail security update |
Informations | |||
---|---|---|---|
Name | RHSA-2009:1490 | First vendor Publication | 2009-10-08 |
Vendor | RedHat | Last vendor Modification | 2009-10-08 |
Severity (Vendor) | Moderate | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 6.8 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: An updated squirrelmail package that fixes several security issues is now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - noarch Red Hat Desktop version 3 - noarch Red Hat Enterprise Linux (v. 5 server) - noarch Red Hat Enterprise Linux AS version 3 - noarch Red Hat Enterprise Linux AS version 4 - noarch Red Hat Enterprise Linux Desktop version 4 - noarch Red Hat Enterprise Linux ES version 3 - noarch Red Hat Enterprise Linux ES version 4 - noarch Red Hat Enterprise Linux WS version 3 - noarch Red Hat Enterprise Linux WS version 4 - noarch 3. Description: SquirrelMail is a standards-based webmail package written in PHP. Form submissions in SquirrelMail did not implement protection against Cross-Site Request Forgery (CSRF) attacks. If a remote attacker tricked a user into visiting a malicious web page, the attacker could hijack that user's authentication, inject malicious content into that user's preferences, or possibly send mail without that user's permission. (CVE-2009-2964) Users of SquirrelMail should upgrade to this updated package, which contains a backported patch to correct these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 517312 - CVE-2009-2964 squirrelmail: CSRF issues in all forms |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2009-1490.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-352 | Cross-Site Request Forgery (CSRF) (CWE/SANS Top 25) |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:10668 | |||
Oval ID: | oval:org.mitre.oval:def:10668 | ||
Title: | Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier, and NaSMail before 1.7, allow remote attackers to hijack the authentication of unspecified victims via features such as send message and change preferences, related to (1) functions/mailbox_display.php, (2) src/addrbook_search_html.php, (3) src/addressbook.php, (4) src/compose.php, (5) src/folders.php, (6) src/folders_create.php, (7) src/folders_delete.php, (8) src/folders_rename_do.php, (9) src/folders_rename_getname.php, (10) src/folders_subscribe.php, (11) src/move_messages.php, (12) src/options.php, (13) src/options_highlight.php, (14) src/options_identities.php, (15) src/options_order.php, (16) src/search.php, and (17) src/vcard.php. | ||
Description: | Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier, and NaSMail before 1.7, allow remote attackers to hijack the authentication of unspecified victims via features such as send message and change preferences, related to (1) functions/mailbox_display.php, (2) src/addrbook_search_html.php, (3) src/addressbook.php, (4) src/compose.php, (5) src/folders.php, (6) src/folders_create.php, (7) src/folders_delete.php, (8) src/folders_rename_do.php, (9) src/folders_rename_getname.php, (10) src/folders_subscribe.php, (11) src/move_messages.php, (12) src/options.php, (13) src/options_highlight.php, (14) src/options_identities.php, (15) src/options_order.php, (16) src/search.php, and (17) src/vcard.php. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2009-2964 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:22828 | |||
Oval ID: | oval:org.mitre.oval:def:22828 | ||
Title: | ELSA-2009:1490: squirrelmail security update (Moderate) | ||
Description: | Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier, and NaSMail before 1.7, allow remote attackers to hijack the authentication of unspecified victims via features such as send message and change preferences, related to (1) functions/mailbox_display.php, (2) src/addrbook_search_html.php, (3) src/addressbook.php, (4) src/compose.php, (5) src/folders.php, (6) src/folders_create.php, (7) src/folders_delete.php, (8) src/folders_rename_do.php, (9) src/folders_rename_getname.php, (10) src/folders_subscribe.php, (11) src/move_messages.php, (12) src/options.php, (13) src/options_highlight.php, (14) src/options_identities.php, (15) src/options_order.php, (16) src/search.php, and (17) src/vcard.php. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2009:1490-01 CVE-2009-2964 | Version: | 6 |
Platform(s): | Oracle Linux 5 | Product(s): | squirrelmail |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:29190 | |||
Oval ID: | oval:org.mitre.oval:def:29190 | ||
Title: | RHSA-2009:1490 -- squirrelmail security update (Moderate) | ||
Description: | An updated squirrelmail package that fixes several security issues is now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2009:1490 CESA-2009:1490-CentOS 3 CVE-2009-2964 | Version: | 3 |
Platform(s): | Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 3 | Product(s): | squirrelmail |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2011-08-09 | Name : CentOS Update for squirrelmail CESA-2009:1490 centos3 i386 File : nvt/gb_CESA-2009_1490_squirrelmail_centos3_i386.nasl |
2011-08-09 | Name : CentOS Update for squirrelmail CESA-2009:1490 centos4 i386 File : nvt/gb_CESA-2009_1490_squirrelmail_centos4_i386.nasl |
2010-08-21 | Name : Debian Security Advisory DSA 2091-1 (squirrelmail) File : nvt/deb_2091_1.nasl |
2009-10-13 | Name : RedHat Security Advisory RHSA-2009:1490 File : nvt/RHSA_2009_1490.nasl |
2009-10-13 | Name : CentOS Security Advisory CESA-2009:1490 (squirrelmail) File : nvt/ovcesa2009_1490.nasl |
2009-09-02 | Name : Fedora Core 11 FEDORA-2009-8822 (squirrelmail) File : nvt/fcore_2009_8822.nasl |
2009-09-02 | Name : Mandrake Security Advisory MDVSA-2009:222 (squirrelmail) File : nvt/mdksa_2009_222.nasl |
2009-08-28 | Name : SquirrelMail Multiple Cross-Site Request Forgery Vulnerabilities File : nvt/secpod_squirrelmail_csrf_vuln.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
57001 | SquirrelMail Multiple Form Pages CSRF |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-07-12 | Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2009-1490.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing a security update. File : sl_20091008_squirrelmail_on_SL3_x.nasl - Type : ACT_GATHER_INFO |
2010-08-17 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2091.nasl - Type : ACT_GATHER_INFO |
2010-06-15 | Name : The remote host is missing a Mac OS X update that fixes various security issues. File : macosx_10_6_4.nasl - Type : ACT_GATHER_INFO |
2010-06-15 | Name : The remote host is missing a Mac OS X update that fixes a security issue. File : macosx_SecUpd2010-004.nasl - Type : ACT_GATHER_INFO |
2009-10-09 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2009-1490.nasl - Type : ACT_GATHER_INFO |
2009-10-09 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2009-1490.nasl - Type : ACT_GATHER_INFO |
2009-08-24 | Name : The remote Fedora host is missing a security update. File : fedora_2009-8797.nasl - Type : ACT_GATHER_INFO |
2009-08-24 | Name : The remote Fedora host is missing a security update. File : fedora_2009-8822.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:52:56 |
|