CGI abuses : SquirrelMail XSS and Local escalation

Price/Feature Summary | Order | New Vulnerabilities | Confidentiality | Vulnerability Search

Vulnerability Search		Search 61204 CVE descriptions and 32582 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.14228

Category: CGI abuses

Title: SquirrelMail XSS and Local escalation

Summary: SquirrelMail XSS and Local escalation

Description:
The remote host is running SquirrelMail, a web-based mail server.

There are several flaws in all versions less than 1.4.3 and development
versions 1.5.0 and 1.5.1 which allow for local root access and remote
Cross-Site-Scripting (XSS) attacks.

***** Nessus has determined the vulnerability exists on the target
***** simply by looking at the version number of Squirrelmail
***** installed there.

Solution : Upgrade to SquirrelMail 1.4.3 or greater.

Risk factor : Medium

Cross-Ref: BugTraq ID: 10246
BugTraq ID: 10397
BugTraq ID: 10439
Common Vulnerability Exposure (CVE) ID: CVE-2004-0519
Bugtraq: 20040429 SquirrelMail Cross Scripting Attacks.... (Google Search)
http://marc.theaimsgroup.com/?l=bugtraq&m=108334862800260
Bugtraq: 20040430 Re: SquirrelMail Cross Scripting Attacks.... (Google Search)
http://www.securityfocus.com/archive/1/361857
Conectiva Linux advisory: CLA-2004:858
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000858
Debian Security Information: DSA-535 (Google Search)
http://www.debian.org/security/2004/dsa-535
http://www.securityfocus.com/advisories/6827
https://bugzilla.fedora.us/show_bug.cgi?id=1733
http://security.gentoo.org/glsa/glsa-200405-16.xml
RedHat Security Advisories: RHSA-2004:240
http://rhn.redhat.com/errata/RHSA-2004-240.html
SGI Security Advisory: 20040604-01-U
ftp://patches.sgi.com/support/free/security/advisories/20040604-01-U.asc
SuSE Security Announcement: SUSE-SR:2005:019 (Google Search)
http://www.novell.com/linux/security/advisories/2005_19_sr.html
http://www.securityfocus.com/bid/10246
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:1006
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10274
http://secunia.com/advisories/11531
http://secunia.com/advisories/11686
http://secunia.com/advisories/11870
http://secunia.com/advisories/12289
XForce ISS Database: squirrel-composephp-xss(16025)
http://xforce.iss.net/xforce/xfdb/16025
Common Vulnerability Exposure (CVE) ID: CVE-2004-0520
Bugtraq: 20040530 RS-2004-1: SquirrelMail "Content-Type" XSS vulnerability (Google Search)
http://marc.theaimsgroup.com/?l=bugtraq&m=108611554415078&w=2
http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt
http://marc.theaimsgroup.com/?l=squirrelmail-cvs&m=108532891231712
http://www.gentoo.org/security/en/glsa/glsa-200406-08.xml
http://www.securityfocus.com/bid/10439
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:1012
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10766
Common Vulnerability Exposure (CVE) ID: CVE-2004-0521
http://marc.theaimsgroup.com/?l=squirrelmail-cvs&m=108309375029888
http://www.securityfocus.com/advisories/7148
Computer Incident Advisory Center Bulletin: O-212
http://www.ciac.org/ciac/bulletins/o-212.shtml
http://www.securityfocus.com/bid/10397
http://www.osvdb.org/6841
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:1033
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:11446
http://secunia.com/advisories/11685
XForce ISS Database: squirrelmail-sql-injection(16235)
http://xforce.iss.net/xforce/xfdb/16235

Copyright This script is Copyright (C) 2004 George A. Theall and Tenable Network Security

This is only one of 32582 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

New User Registration
Email:

UserID:

Passwd:

Please email me your monthly newsletters, informing the latest services, improvements & surveys.

Please email me a vulnerability test announcement whenever a new test is added.

Privacy

Registered User Login

UserID:

Passwd:

Forgot userid or passwd?

Email/Userid:

Test ID:	1.3.6.1.4.1.25623.1.0.14228
Category:	CGI abuses
Title:	SquirrelMail XSS and Local escalation
Summary:	SquirrelMail XSS and Local escalation
Description:	The remote host is running SquirrelMail, a web-based mail server. There are several flaws in all versions less than 1.4.3 and development versions 1.5.0 and 1.5.1 which allow for local root access and remote Cross-Site-Scripting (XSS) attacks. *** Nessus has determined the vulnerability exists on the target * simply by looking at the version number of Squirrelmail *** installed there. Solution : Upgrade to SquirrelMail 1.4.3 or greater. Risk factor : Medium
Cross-Ref:	BugTraq ID: 10246 BugTraq ID: 10397 BugTraq ID: 10439 Common Vulnerability Exposure (CVE) ID: CVE-2004-0519 Bugtraq: 20040429 SquirrelMail Cross Scripting Attacks.... (Google Search) http://marc.theaimsgroup.com/?l=bugtraq&m=108334862800260 Bugtraq: 20040430 Re: SquirrelMail Cross Scripting Attacks.... (Google Search) http://www.securityfocus.com/archive/1/361857 Conectiva Linux advisory: CLA-2004:858 http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000858 Debian Security Information: DSA-535 (Google Search) http://www.debian.org/security/2004/dsa-535 http://www.securityfocus.com/advisories/6827 https://bugzilla.fedora.us/show_bug.cgi?id=1733 http://security.gentoo.org/glsa/glsa-200405-16.xml RedHat Security Advisories: RHSA-2004:240 http://rhn.redhat.com/errata/RHSA-2004-240.html SGI Security Advisory: 20040604-01-U ftp://patches.sgi.com/support/free/security/advisories/20040604-01-U.asc SuSE Security Announcement: SUSE-SR:2005:019 (Google Search) http://www.novell.com/linux/security/advisories/2005_19_sr.html http://www.securityfocus.com/bid/10246 http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:1006 http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10274 http://secunia.com/advisories/11531 http://secunia.com/advisories/11686 http://secunia.com/advisories/11870 http://secunia.com/advisories/12289 XForce ISS Database: squirrel-composephp-xss(16025) http://xforce.iss.net/xforce/xfdb/16025 Common Vulnerability Exposure (CVE) ID: CVE-2004-0520 Bugtraq: 20040530 RS-2004-1: SquirrelMail "Content-Type" XSS vulnerability (Google Search) http://marc.theaimsgroup.com/?l=bugtraq&m=108611554415078&w=2 http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt http://marc.theaimsgroup.com/?l=squirrelmail-cvs&m=108532891231712 http://www.gentoo.org/security/en/glsa/glsa-200406-08.xml http://www.securityfocus.com/bid/10439 http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:1012 http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10766 Common Vulnerability Exposure (CVE) ID: CVE-2004-0521 http://marc.theaimsgroup.com/?l=squirrelmail-cvs&m=108309375029888 http://www.securityfocus.com/advisories/7148 Computer Incident Advisory Center Bulletin: O-212 http://www.ciac.org/ciac/bulletins/o-212.shtml http://www.securityfocus.com/bid/10397 http://www.osvdb.org/6841 http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:1033 http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:11446 http://secunia.com/advisories/11685 XForce ISS Database: squirrelmail-sql-injection(16235) http://xforce.iss.net/xforce/xfdb/16235
Copyright	This script is Copyright (C) 2004 George A. Theall and Tenable Network Security