|Category:||FreeBSD Local Security Checks|
|Title:||FreeBSD Ports: squirrelmail|
|Summary:||FreeBSD Ports: squirrelmail|
The remote host is missing an update to the system
as announced in the referenced advisory.
The following package is affected: squirrelmail
CRLF injection vulnerability in SquirrelMail 1.4.0 to 1.4.5 allows
remote attackers to inject arbitrary IMAP commands via newline
characters in the mailbox parameter of the sqimap_mailbox_select
command, aka 'IMAP injection.'
Interpretation conflict in the MagicHTML filter in SquirrelMail 1.4.0
to 1.4.5 allows remote attackers to conduct cross-site scripting (XSS)
attacks via style sheet specifiers with invalid (1) '/*' and '*/'
comments, or (2) a newline in a 'url' specifier, which is processed by
certain web browsers including Internet Explorer.
webmail.php in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to
inject arbitrary web pages into the right frame via a URL in the
right_frame parameter. NOTE: this has been called a cross-site
scripting (XSS) issue, but it is different than what is normally
identified as XSS.
Update your system with the appropriate patches or
Common Vulnerability Exposure (CVE) ID: CVE-2006-0377|
Debian Security Information: DSA-988 (Google Search)
SGI Security Advisory: 20060501-01-U
SuSE Security Announcement: SUSE-SR:2006:005 (Google Search)
BugTraq ID: 16756
XForce ISS Database: squirrelmail-mailbox-imap-injection(24849)
Common Vulnerability Exposure (CVE) ID: CVE-2006-0195
XForce ISS Database: squirrelmail-magichtml-xss(24848)
Common Vulnerability Exposure (CVE) ID: CVE-2006-0188
XForce ISS Database: squirrelmail-webmail-xss(24847)
|Copyright||Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com|
|This is only one of 58962 vulnerability tests in our test suite. Find out more about running a complete security audit.|
To run a free test of this vulnerability against your system, register below.