Conectiva Local Security Checks : Conectiva Security Advisory CLA-2003:690

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.51434

Categoría: Conectiva Local Security Checks

Título: Conectiva Security Advisory CLA-2003:690

Resumen: NOSUMMARY

Descripción: Description:

The remote host is missing updates announced in
advisory CLA-2003:690.

Imp[1] is a webmail system which uses the Horde framework.

Jouko Pynnonen reported[3] that the Imp webmail version 2.x has a SQL
injection vulnerability[2].

Imp can optionally store user preferences, contacts list and session
IDs in a SQL database. A remote attacker can use this vulnerability
to execute SQL commands and possibly get session IDs and steal
another user's webmail session. Other consequences are possible and
depend on the privileges Imp has in the database. Usually, these
privileges are limited to the Imp database itself, but this is site
and database specific.

This update also contains some fixes for Imp and Horde to make them
work with PHP 4.3.2.

Solution:
The apt tool can be used to perform RPM package upgrades
by running 'apt-get update' followed by 'apt-get upgrade'

http://www.securityspace.com/smysecure/catid.html?in=CLA-2003:690
http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=002003

Risk factor : High

CVSS Score:
7.5

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2003-0025
BugTraq ID: 6559
http://www.securityfocus.com/bid/6559
Bugtraq: 20030108 IMP 2.x SQL injection vulnerabilities (Google Search)
http://marc.info/?l=bugtraq&m=104204786206563&w=2
Bugtraq: 20030108 Re: IMP 2.x SQL injection vulnerabilities (Google Search)
http://www.securityfocus.com/archive/1/306268
Debian Security Information: DSA-229 (Google Search)
http://www.debian.org/security/2003/dsa-229
http://www.securitytracker.com/id?1005904
http://secunia.com/advisories/8087
http://secunia.com/advisories/8177
SuSE Security Announcement: SuSE-SA:2003:0008 (Google Search)

Copyright Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.51434
Categoría:	Conectiva Local Security Checks
Título:	Conectiva Security Advisory CLA-2003:690
Resumen:	NOSUMMARY
Descripción:	Description: The remote host is missing updates announced in advisory CLA-2003:690. Imp[1] is a webmail system which uses the Horde framework. Jouko Pynnonen reported[3] that the Imp webmail version 2.x has a SQL injection vulnerability[2]. Imp can optionally store user preferences, contacts list and session IDs in a SQL database. A remote attacker can use this vulnerability to execute SQL commands and possibly get session IDs and steal another user's webmail session. Other consequences are possible and depend on the privileges Imp has in the database. Usually, these privileges are limited to the Imp database itself, but this is site and database specific. This update also contains some fixes for Imp and Horde to make them work with PHP 4.3.2. Solution: The apt tool can be used to perform RPM package upgrades by running 'apt-get update' followed by 'apt-get upgrade' http://www.securityspace.com/smysecure/catid.html?in=CLA-2003:690 http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=002003 Risk factor : High CVSS Score: 7.5
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2003-0025 BugTraq ID: 6559 http://www.securityfocus.com/bid/6559 Bugtraq: 20030108 IMP 2.x SQL injection vulnerabilities (Google Search) http://marc.info/?l=bugtraq&m=104204786206563&w=2 Bugtraq: 20030108 Re: IMP 2.x SQL injection vulnerabilities (Google Search) http://www.securityfocus.com/archive/1/306268 Debian Security Information: DSA-229 (Google Search) http://www.debian.org/security/2003/dsa-229 http://www.securitytracker.com/id?1005904 http://secunia.com/advisories/8087 http://secunia.com/advisories/8177 SuSE Security Announcement: SuSE-SA:2003:0008 (Google Search)
Copyright	Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com