SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   SquirrelMail Vendors:   SquirrelMail Development Team
(Fedora Issues Fix for FC2) SquirrelMail Input Validation Hole in 'mime.php' Lets Remote Users Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1012345
SecurityTracker URL:  http://securitytracker.com/id/1012345
CVE Reference:   CVE-2004-1036   (Links to External Site)
Date:  Nov 29 2004
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.4.3a and earlier; SquirrelMail 1.5.1-cvs before October 23, 2004
Description:   An input validation vulnerability was reported in SquirrelMail in 'mime.php'. A remote user can conduct cross-site scripting attacks.

The vendor reported that the software does not properly validate encoded text in certain headers. A remote user can create specially crafted e-mail that, when viewed by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the SquirrelMail software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The flaw resides in 'mime.php'.

The vendor credits Joost Pol with reporting this flaw.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the SquirrelMail software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   Fedora has released a fix, available at:

http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/

ef1c31c817be7a19cb217f17c79fda8c SRPMS/squirrelmail-1.4.3a-6.FC2.src.rpm
523c3aa13e3a2f134c12cf2df5b8d3cc
x86_64/squirrelmail-1.4.3a-6.FC2.noarch.rpm
523c3aa13e3a2f134c12cf2df5b8d3cc i386/squirrelmail-1.4.3a-6.FC2.noarch.rpm

Vendor URL:  www.squirrelmail.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Red Hat Fedora)
Underlying OS Comments:  FC2

Message History:   This archive entry is a follow-up to the message listed below.
Nov 10 2004 SquirrelMail Input Validation Hole in 'mime.php' Lets Remote Users Conduct Cross-Site Scripting Attacks



 Source Message Contents

Subject:  [SECURITY] Fedora Core 2 Update: squirrelmail-1.4.3a-6.FC2


---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2004-471
2004-11-28
---------------------------------------------------------------------

Product     : Fedora Core 2
Name        : squirrelmail
Version     : 1.4.3a
Release     : 6.FC2
Summary     : SquirrelMail webmail client
Description :
SquirrelMail is a standards-based webmail package written in PHP4. It
includes built-in pure PHP support for the IMAP and SMTP protocols, and
all pages render in pure HTML 4.0 (with no Javascript) for maximum
compatibility across browsers.  It has very few requirements and is very
easy to configure and install. SquirrelMail has all the functionality
you would want from an email client, including strong MIME support,
address books, and folder manipulation.

---------------------------------------------------------------------

* Fri Nov 19 2004 Warren Togami <wtogami@redhat.com> 1.4.3a-6.FC2
- FC2

* Fri Nov 19 2004 Warren Togami <wtogami@redhat.com> 1.4.3a-7
- CAN-2004-1036 Cross Site Scripting in encoded text
- #112769 updated splash screens

* Thu Oct 14 2004 Warren Togami <wtogami@redhat.com> 1.4.3a-5
- default_folder_prefix dovecot compatible by default
   /etc/squirrelmail/config_local.php if you must change it

* Wed Oct 13 2004 Warren Togami <wtogami@redhat.com> 1.4.3a-4
- HIGASHIYAMA Masato's patch to improve Japanese support
   (coordinated by Scott A. Hughes).
- real 1.4.3a tarball

* Tue Aug 31 2004 Warren Togami <wtogami@redhat.com> 1.4.3-2
- #125638 config_local.php and default_pref in /etc/squirrelmail/
   to match upstream RPM.  This should allow smoother drop-in
   replacements and upgrades.
- other spec cleanup.

---------------------------------------------------------------------
This update can be downloaded from:
   http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/

ef1c31c817be7a19cb217f17c79fda8c  SRPMS/squirrelmail-1.4.3a-6.FC2.src.rpm
523c3aa13e3a2f134c12cf2df5b8d3cc 
x86_64/squirrelmail-1.4.3a-6.FC2.noarch.rpm
523c3aa13e3a2f134c12cf2df5b8d3cc  i386/squirrelmail-1.4.3a-6.FC2.noarch.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
---------------------------------------------------------------------

--
fedora-announce-list mailing list
fedora-announce-list@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-announce-list

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC