Executive Summary

Summary
Title Updated SquirrelMail package fixes multiple vulnerabilities
Informations
Name RHSA-2004:240 First vendor Publication 2004-06-14
Vendor RedHat Last vendor Modification 2004-06-14
Severity (Vendor) N/A Revision 01

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2004-240.html

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:1006
 
Oval ID: oval:org.mitre.oval:def:1006
Title: SquirrelMail Cross-site Scripting Vulnerability I
Description: Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php.
Family: unix Class: vulnerability
Reference(s): CVE-2004-0519
 Version: 3
Platform(s): Red Hat Enterprise Linux 3
 Product(s): SquirrelMail
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:1012
 
Oval ID: oval:org.mitre.oval:def:1012
Title: SquirrelMail Cross-site Scripting Vulnerability II
Description: Cross-site scripting (XSS) vulnerability in mime.php for SquirrelMail before 1.4.3 allows remote attackers to insert arbitrary HTML and script via the content-type mail header, as demonstrated using read_body.php.
Family: unix Class: vulnerability
Reference(s): CVE-2004-0520
 Version: 3
Platform(s): Red Hat Enterprise Linux 3
 Product(s): SquirrelMail
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:10274
 
Oval ID: oval:org.mitre.oval:def:10274
Title: Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php.
Description: Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php.
Family: unix Class: vulnerability
Reference(s): CVE-2004-0519
 Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:1033
 
Oval ID: oval:org.mitre.oval:def:1033
Title: SquirrelMail SQL Injection Vulnerability
Description: SQL injection vulnerability in SquirrelMail before 1.4.3 RC1 allows remote attackers to execute unauthorized SQL statements, with unknown impact, probably via abook_database.php.
Family: unix Class: vulnerability
Reference(s): CVE-2004-0521
 Version: 3
Platform(s): Red Hat Enterprise Linux 3
 Product(s): SquirrelMail
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:10766
 
Oval ID: oval:org.mitre.oval:def:10766
Title: Cross-site scripting (XSS) vulnerability in mime.php for SquirrelMail before 1.4.3 allows remote attackers to insert arbitrary HTML and script via the content-type mail header, as demonstrated using read_body.php.
Description: Cross-site scripting (XSS) vulnerability in mime.php for SquirrelMail before 1.4.3 allows remote attackers to insert arbitrary HTML and script via the content-type mail header, as demonstrated using read_body.php.
Family: unix Class: vulnerability
Reference(s): CVE-2004-0520
 Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11446
 
Oval ID: oval:org.mitre.oval:def:11446
Title: SQL injection vulnerability in SquirrelMail before 1.4.3 RC1 allows remote attackers to execute unauthorized SQL statements, with unknown impact, probably via abook_database.php.
Description: SQL injection vulnerability in SquirrelMail before 1.4.3 RC1 allows remote attackers to execute unauthorized SQL statements, with unknown impact, probably via abook_database.php.
Family: unix Class: vulnerability
Reference(s): CVE-2004-0521
 Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
 Product(s):
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 3
Application 1
Application 19

OpenVAS Exploits

Date Description
2008-09-24 Name : Gentoo Security Advisory GLSA 200405-16 (SquirrelMail)
File : nvt/glsa_200405_16.nasl
2008-09-24 Name : Gentoo Security Advisory GLSA 200406-08 (Squirrelmail)
File : nvt/glsa_200406_08.nasl
2008-09-04 Name : FreeBSD Ports: openwebmail
File : nvt/freebsd_openwebmail.nasl
2008-01-17 Name : Debian Security Advisory DSA 535-1 (squirrelmail)
File : nvt/deb_535_1.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
6841 SquirrelMail abook_database.php SQL Injection

SquirrelMail contains a flaw that will allow an attacker to inject arbitrary SQL code. The issue is due to the insufficient sanitizing of data in input sent to the "abook_database.php" script. This will allow an attacker to inject or manipulate SQL queries. By sending a specially-crafted URL containing malicious SQL code, a remote attacker could add, modify or delete user information in the back-end database.
6514 SquirrelMail mime.php Content-Type XSS

Multiple Webmail products contain a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate Content-Type upon submission to the mime.php script (or whatever script controls header content-type). This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
6337 SquirreMail compose.php Multiple Parameter XSS

Squirrelmail contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate mailbox variables upon submission to the compose.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Nessus® Vulnerability Scanner

Date Description
2009-04-23 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_c5519420cec211d88898000d6111a684.nasl - Type : ACT_GATHER_INFO
2004-09-29 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-535.nasl - Type : ACT_GATHER_INFO
2004-09-08 Name : The remote host is missing a Mac OS X update that fixes a security issue.
File : macosx_SecUpd20040907.nasl - Type : ACT_GATHER_INFO
2004-08-30 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-200405-16.nasl - Type : ACT_GATHER_INFO
2004-08-30 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-200406-08.nasl - Type : ACT_GATHER_INFO
2004-07-23 Name : The remote Fedora Core host is missing a security update.
File : fedora_2004-159.nasl - Type : ACT_GATHER_INFO
2004-07-23 Name : The remote Fedora Core host is missing a security update.
File : fedora_2004-160.nasl - Type : ACT_GATHER_INFO
2004-07-06 Name : The remote Red Hat host is missing a security update.
File : redhat-RHSA-2004-240.nasl - Type : ACT_GATHER_INFO
2004-05-05 Name : The remote service is vulnerable to injection attacks allowing command execut...
File : squirrelmail_143.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 11:48:31
  • Multiple Updates