[gentoo-announce] [ GLSA 200405-16 ] Multiple XSS Vulnerabilities in SquirrelMail - gentoo-announce

From:	Rajiv Aaron Manglani <rajiv@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 200405-16 ] Multiple XSS Vulnerabilities in SquirrelMail
Date:	Fri, 21 May 2004 18:14:51
Message-Id:	`a05210600bcd3ea1233bf@[10.96.0.12]`

1

-----BEGIN PGP SIGNED MESSAGE-----

2

Hash: SHA1

3

4

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

5

Gentoo Linux Security Advisory                           GLSA 200405-16

6

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

7

                                            http://security.gentoo.org/

8

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

9

10

  Severity: Normal

11

     Title: Multiple XSS Vulnerabilities in SquirrelMail

12

      Date: May 21, 2004

13

      Bugs: #49675

14

        ID: 200405-16

15

16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

17

18

Synopsis

19

========

20

21

SquirrelMail is subject to several XSS and one SQL injection

22

vulnerability.

23

24

Background

25

==========

26

27

SquirrelMail is a webmail package written in PHP. It supports IMAP and

28

SMTP, and can optionally be installed with SQL support.

29

30

Affected packages

31

=================

32

33

    -------------------------------------------------------------------

34

     Package                /   Vulnerable   /              Unaffected

35

    -------------------------------------------------------------------

36

  1  net-mail/squirrelmail       <= 1.4.2                 >= 1.4.3_rc1

37

38

Description

39

===========

40

41

Several unspecified cross-site scripting (XSS) vulnerabilities and a

42

well hidden SQL injection vulnerability were found. An XSS attack

43

allows an attacker to insert malicious code into a web-based

44

application. SquirrelMail does not check for code when parsing

45

variables received via the URL query string.

46

47

Impact

48

======

49

50

One of the XSS vulnerabilities could be exploited by an attacker to

51

steal cookie-based authentication credentials from the user's browser.

52

The SQL injection issue could potentially be used by an attacker to run

53

arbitrary SQL commands inside the SquirrelMail database with privileges

54

of the SquirrelMail database user.

55

56

Workaround

57

==========

58

59

There is no known workaround at this time. All users are advised to

60

upgrade to version 1.4.3_rc1 or higher of SquirrelMail.

61

62

Resolution

63

==========

64

65

All SquirrelMail users should upgrade to the latest stable version:

66

67

    # emerge sync

68

69

    # emerge -pv ">=net-mail/squirrelmail-1.4.3_rc1"

70

    # emerge ">=net-mail/squirrelmail-1.4.3_rc1"

71

72

References

73

==========

74

75

  [ 1 ] SquirrelMail 1.4.3_rc1 release annoucement

76

        http://sourceforge.net/mailarchive/forum.php?thread_id=4199060&forum_id=1988

77

  [ 2 ] Bugtraq security annoucement

78

        http://www.securityfocus.com/bid/10246/

79

  [ 3 ] CERT description of XSS

80

        http://www.cert.org/advisories/CA-2000-02.html

81

82

Availability

83

============

84

85

This GLSA and any updates to it are available for viewing at

86

the Gentoo Security Website:

87

88

     http://security.gentoo.org/glsa/glsa-200405-16.xml

89

90

Concerns?

91

=========

92

93

Security is a primary focus of Gentoo Linux and ensuring the

94

confidentiality and security of our users machines is of utmost

95

importance to us. Any security concerns should be addressed to

96

security@g.o or alternatively, you may file a bug at

97

http://bugs.gentoo.org.

98

99

License

100

=======

101

102

Copyright 2004 Gentoo Technologies, Inc; referenced text

103

belongs to its owner(s).

104

105

The contents of this document are licensed under the

106

Creative Commons - Attribution / Share Alike license.

107

108

http://creativecommons.org/licenses/by-sa/1.0

109

110

-----BEGIN PGP SIGNATURE-----

111

Version: GnuPG v1.2.3 (Darwin)

112

113

iD8DBQFArkYbnt0v0zAqOHYRAsbCAKCgFyTi3benON9CIPi1Z/Zs85KXFgCeKOeF

114

SbrQqZQoiK2N2QPn8FuWUHw=

115

=HZpB

116

-----END PGP SIGNATURE-----

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5	Gentoo Linux Security Advisory GLSA 200405-16
6	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7	http://security.gentoo.org/
8	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10	Severity: Normal
11	Title: Multiple XSS Vulnerabilities in SquirrelMail
12	Date: May 21, 2004
13	Bugs: #49675
14	ID: 200405-16
15
16	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18	Synopsis
19	========
20
21	SquirrelMail is subject to several XSS and one SQL injection
22	vulnerability.
23
24	Background
25	==========
26
27	SquirrelMail is a webmail package written in PHP. It supports IMAP and
28	SMTP, and can optionally be installed with SQL support.
29
30	Affected packages
31	=================
32
33	-------------------------------------------------------------------
34	Package / Vulnerable / Unaffected
35	-------------------------------------------------------------------
36	1 net-mail/squirrelmail <= 1.4.2 >= 1.4.3_rc1
37
38	Description
39	===========
40
41	Several unspecified cross-site scripting (XSS) vulnerabilities and a
42	well hidden SQL injection vulnerability were found. An XSS attack
43	allows an attacker to insert malicious code into a web-based
44	application. SquirrelMail does not check for code when parsing
45	variables received via the URL query string.
46
47	Impact
48	======
49
50	One of the XSS vulnerabilities could be exploited by an attacker to
51	steal cookie-based authentication credentials from the user's browser.
52	The SQL injection issue could potentially be used by an attacker to run
53	arbitrary SQL commands inside the SquirrelMail database with privileges
54	of the SquirrelMail database user.
55
56	Workaround
57	==========
58
59	There is no known workaround at this time. All users are advised to
60	upgrade to version 1.4.3_rc1 or higher of SquirrelMail.
61
62	Resolution
63	==========
64
65	All SquirrelMail users should upgrade to the latest stable version:
66
67	# emerge sync
68
69	# emerge -pv ">=net-mail/squirrelmail-1.4.3_rc1"
70	# emerge ">=net-mail/squirrelmail-1.4.3_rc1"
71
72	References
73	==========
74
75	[ 1 ] SquirrelMail 1.4.3_rc1 release annoucement
76	http://sourceforge.net/mailarchive/forum.php?thread_id=4199060&forum_id=1988
77	[ 2 ] Bugtraq security annoucement
78	http://www.securityfocus.com/bid/10246/
79	[ 3 ] CERT description of XSS
80	http://www.cert.org/advisories/CA-2000-02.html
81
82	Availability
83	============
84
85	This GLSA and any updates to it are available for viewing at
86	the Gentoo Security Website:
87
88	http://security.gentoo.org/glsa/glsa-200405-16.xml
89
90	Concerns?
91	=========
92
93	Security is a primary focus of Gentoo Linux and ensuring the
94	confidentiality and security of our users machines is of utmost
95	importance to us. Any security concerns should be addressed to
96	security@g.o or alternatively, you may file a bug at
97	http://bugs.gentoo.org.
98
99	License
100	=======
101
102	Copyright 2004 Gentoo Technologies, Inc; referenced text
103	belongs to its owner(s).
104
105	The contents of this document are licensed under the
106	Creative Commons - Attribution / Share Alike license.
107
108	http://creativecommons.org/licenses/by-sa/1.0
109
110	-----BEGIN PGP SIGNATURE-----
111	Version: GnuPG v1.2.3 (Darwin)
112
113	iD8DBQFArkYbnt0v0zAqOHYRAsbCAKCgFyTi3benON9CIPi1Z/Zs85KXFgCeKOeF
114	SbrQqZQoiK2N2QPn8FuWUHw=
115	=HZpB
116	-----END PGP SIGNATURE-----

Gentoo Archives: gentoo-announce