SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   SquirrelMail Vendors:   SquirrelMail Development Team
(Fedora Issues Fix for FC3) SquirrelMail Input Validation Hole in 'mime.php' Lets Remote Users Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1012354
SecurityTracker URL:  http://securitytracker.com/id/1012354
CVE Reference:   CVE-2004-1036   (Links to External Site)
Date:  Nov 29 2004
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.4.3a and earlier; SquirrelMail 1.5.1-cvs before October 23, 2004
Description:   An input validation vulnerability was reported in SquirrelMail in 'mime.php'. A remote user can conduct cross-site scripting attacks.

The vendor reported that the software does not properly validate encoded text in certain headers. A remote user can create specially crafted e-mail that, when viewed by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the SquirrelMail software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The flaw resides in 'mime.php'.

The vendor credits Joost Pol with reporting this flaw.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the SquirrelMail software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   Fedora has released a fix, available at:

http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

f3214fb13b71f13ac46fe6c440c09ad4 SRPMS/squirrelmail-1.4.3a-6.FC3.src.rpm
e0ff639d45092e5c1130c35b0dd6fbea
x86_64/squirrelmail-1.4.3a-6.FC3.noarch.rpm
e0ff639d45092e5c1130c35b0dd6fbea i386/squirrelmail-1.4.3a-6.FC3.noarch.rpm

Vendor URL:  www.squirrelmail.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Red Hat Fedora)
Underlying OS Comments:  FC3

Message History:   This archive entry is a follow-up to the message listed below.
Nov 10 2004 SquirrelMail Input Validation Hole in 'mime.php' Lets Remote Users Conduct Cross-Site Scripting Attacks



 Source Message Contents

Subject:  [SECURITY] Fedora Core 3 Update: squirrelmail-1.4.3a-6.FC3


---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2004-472
2004-11-28
---------------------------------------------------------------------

Product     : Fedora Core 3
Name        : squirrelmail
Version     : 1.4.3a
Release     : 6.FC3
Summary     : SquirrelMail webmail client
Description :
SquirrelMail is a standards-based webmail package written in PHP4. It
includes built-in pure PHP support for the IMAP and SMTP protocols, and
all pages render in pure HTML 4.0 (with no Javascript) for maximum
compatibility across browsers.  It has very few requirements and is very
easy to configure and install. SquirrelMail has all the functionality
you would want from an email client, including strong MIME support,
address books, and folder manipulation.

---------------------------------------------------------------------

* Fri Nov 19 2004 Warren Togami <wtogami@redhat.com> 1.4.3a-6.FC3
- FC3

* Fri Nov 19 2004 Warren Togami <wtogami@redhat.com> 1.4.3a-7
- CAN-2004-1036 Cross Site Scripting in encoded text
- #112769 updated splash screens

---------------------------------------------------------------------
This update can be downloaded from:
   http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

f3214fb13b71f13ac46fe6c440c09ad4  SRPMS/squirrelmail-1.4.3a-6.FC3.src.rpm
e0ff639d45092e5c1130c35b0dd6fbea 
x86_64/squirrelmail-1.4.3a-6.FC3.noarch.rpm
e0ff639d45092e5c1130c35b0dd6fbea  i386/squirrelmail-1.4.3a-6.FC3.noarch.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
---------------------------------------------------------------------

--
fedora-announce-list mailing list
fedora-announce-list@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-announce-list

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC