CentOS Local Security Checks : CentOS Update for squirrelmail CESA-2009:0010 centos5 i386

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.880721

Categoría: CentOS Local Security Checks

Título: CentOS Update for squirrelmail CESA-2009:0010 centos5 i386

Resumen: The remote host is missing an update for the 'squirrelmail'; package(s) announced via the referenced advisory.

Descripción: Summary:
The remote host is missing an update for the 'squirrelmail'
package(s) announced via the referenced advisory.

Vulnerability Insight:
SquirrelMail is an easy-to-configure, standards-based, webmail package
written in PHP. It includes built-in PHP support for the IMAP and SMTP
protocols, and pure HTML 4.0 page-rendering (with no JavaScript required)
for maximum browser-compatibility, strong MIME support, address books, and
folder manipulation.

Ivan Markovic discovered a cross-site scripting (XSS) flaw in SquirrelMail
caused by insufficient HTML mail sanitization. A remote attacker could send
a specially-crafted HTML mail or attachment that could cause a user's Web
browser to execute a malicious script in the context of the SquirrelMail
session when that email or attachment was opened by the user.
(CVE-2008-2379)

It was discovered that SquirrelMail allowed cookies over insecure
connections (ie did not restrict cookies to HTTPS connections). An attacker
who controlled the communication channel between a user and the
SquirrelMail server, or who was able to sniff the user's network
communication, could use this flaw to obtain the user's session cookie, if
a user made an HTTP request to the server. (CVE-2008-3663)

Note: After applying this update, all session cookies set for SquirrelMail
sessions started over HTTPS connections will have the 'secure' flag set.
That is, browsers will only send such cookies over an HTTPS connection. If
needed, you can revert to the previous behavior by setting the
configuration option '$only_secure_cookies' to 'false'
in SquirrelMail's /etc/squirrelmail/config.php configuration file.

Users of squirrelmail should upgrade to this updated package, which
contains backported patches to correct these issues.

Affected Software/OS:
squirrelmail on CentOS 5

Solution:
Please install the updated packages.

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2008-2379
http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.html
BugTraq ID: 32603
http://www.securityfocus.com/bid/32603
Debian Security Information: DSA-1682 (Google Search)
http://www.debian.org/security/2008/dsa-1682
https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00223.html
https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00449.html
http://security-net.biz/wsw/index.php?p=254&n=190
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9764
http://secunia.com/advisories/32143
http://secunia.com/advisories/33054
http://secunia.com/advisories/33071
http://secunia.com/advisories/33937
SuSE Security Announcement: SUSE-SR:2008:027 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html
http://www.vupen.com/english/advisories/2008/3332
XForce ISS Database: squirrelmail-html-xss(47024)
https://exchange.xforce.ibmcloud.com/vulnerabilities/47024
Common Vulnerability Exposure (CVE) ID: CVE-2008-3663
BugTraq ID: 31321
http://www.securityfocus.com/bid/31321
Bugtraq: 20080922 Squirrelmail: Session hijacking vulnerability, CVE-2008-3663 (Google Search)
http://www.securityfocus.com/archive/1/496601/100/0/threaded
http://int21.de/cve/CVE-2008-3663-squirrelmail.html
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10548
http://securityreason.com/securityalert/4304
SuSE Security Announcement: SUSE-SR:2008:028 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00003.html
SuSE Security Announcement: SUSE-SR:2009:004 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html
XForce ISS Database: squirrelmail-cookie-session-hijacking(45700)
https://exchange.xforce.ibmcloud.com/vulnerabilities/45700

Copyright Copyright (C) 2011 Greenbone AG

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.880721
Categoría:	CentOS Local Security Checks
Título:	CentOS Update for squirrelmail CESA-2009:0010 centos5 i386
Resumen:	The remote host is missing an update for the 'squirrelmail'; package(s) announced via the referenced advisory.
Descripción:	Summary: The remote host is missing an update for the 'squirrelmail' package(s) announced via the referenced advisory. Vulnerability Insight: SquirrelMail is an easy-to-configure, standards-based, webmail package written in PHP. It includes built-in PHP support for the IMAP and SMTP protocols, and pure HTML 4.0 page-rendering (with no JavaScript required) for maximum browser-compatibility, strong MIME support, address books, and folder manipulation. Ivan Markovic discovered a cross-site scripting (XSS) flaw in SquirrelMail caused by insufficient HTML mail sanitization. A remote attacker could send a specially-crafted HTML mail or attachment that could cause a user's Web browser to execute a malicious script in the context of the SquirrelMail session when that email or attachment was opened by the user. (CVE-2008-2379) It was discovered that SquirrelMail allowed cookies over insecure connections (ie did not restrict cookies to HTTPS connections). An attacker who controlled the communication channel between a user and the SquirrelMail server, or who was able to sniff the user's network communication, could use this flaw to obtain the user's session cookie, if a user made an HTTP request to the server. (CVE-2008-3663) Note: After applying this update, all session cookies set for SquirrelMail sessions started over HTTPS connections will have the 'secure' flag set. That is, browsers will only send such cookies over an HTTPS connection. If needed, you can revert to the previous behavior by setting the configuration option '$only_secure_cookies' to 'false' in SquirrelMail's /etc/squirrelmail/config.php configuration file. Users of squirrelmail should upgrade to this updated package, which contains backported patches to correct these issues. Affected Software/OS: squirrelmail on CentOS 5 Solution: Please install the updated packages. CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2008-2379 http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.html BugTraq ID: 32603 http://www.securityfocus.com/bid/32603 Debian Security Information: DSA-1682 (Google Search) http://www.debian.org/security/2008/dsa-1682 https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00223.html https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00449.html http://security-net.biz/wsw/index.php?p=254&n=190 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9764 http://secunia.com/advisories/32143 http://secunia.com/advisories/33054 http://secunia.com/advisories/33071 http://secunia.com/advisories/33937 SuSE Security Announcement: SUSE-SR:2008:027 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html http://www.vupen.com/english/advisories/2008/3332 XForce ISS Database: squirrelmail-html-xss(47024) https://exchange.xforce.ibmcloud.com/vulnerabilities/47024 Common Vulnerability Exposure (CVE) ID: CVE-2008-3663 BugTraq ID: 31321 http://www.securityfocus.com/bid/31321 Bugtraq: 20080922 Squirrelmail: Session hijacking vulnerability, CVE-2008-3663 (Google Search) http://www.securityfocus.com/archive/1/496601/100/0/threaded http://int21.de/cve/CVE-2008-3663-squirrelmail.html https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10548 http://securityreason.com/securityalert/4304 SuSE Security Announcement: SUSE-SR:2008:028 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00003.html SuSE Security Announcement: SUSE-SR:2009:004 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html XForce ISS Database: squirrelmail-cookie-session-hijacking(45700) https://exchange.xforce.ibmcloud.com/vulnerabilities/45700
Copyright	Copyright (C) 2011 Greenbone AG