|Category:||Red Hat Local Security Checks|
|Title:||RedHat Security Advisory RHSA-2004:654|
|Summary:||Redhat Security Advisory RHSA-2004:654|
The remote host is missing updates announced in
SquirrelMail is a webmail package written in PHP.
A cross-site scripting bug has been found in SquirrelMail. This issue
could allow an attacker to send a mail with a carefully crafted header,
which could result in causing the victim's machine to execute a malicious
script. The Common Vulnerabilities and Exposures project has assigned the
name CVE-2004-1036 to this issue.
Additionally, the following issues have been addressed:
- - updated splash screens
- - HIGASHIYAMA Masato's patch to improve Japanese support
- - real 1.4.3a tarball
- - config_local.php and default_pref in /etc/squirrelmail/ to match upstream
Please note that it is possible that upgrading to this package may remove
your SquirrelMail configuration files due to a bug in the RPM package.
Upgrading will prevent this from happening in the future.
Users of SquirrelMail are advised to upgrade to this updated package which
contains a patched version of SquirrelMail version 1.43a and is not
vulnerable to these issues.
Please note that this update is available via
Red Hat Network. To use Red Hat Network, launch the Red
Hat Update Agent with the following command: up2date
Risk factor : High
Common Vulnerability Exposure (CVE) ID: CVE-2004-1036|
Bugtraq: 20041110 [SquirrelMail Security Advisory] Cross Site Scripting in encoded text (Google Search)
Conectiva Linux advisory: CLA-2004:905
XForce ISS Database: squirrelmail-mime-xss(18031)
|Copyright||Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com|
|This is only one of 43180 vulnerability tests in our test suite. Find out more about running a complete security audit.|
To run a free test of this vulnerability against your system, register below.