[gentoo-announce] [ GLSA 200408-02 ] Courier: Cross-site scripting vulnerability in SqWebMail - gentoo-announce

From:	Thierry Carrez <koon@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200408-02 ] Courier: Cross-site scripting vulnerability in SqWebMail
Date:	Wed, 04 Aug 2004 15:52:21
Message-Id:	`411105E8.7010000@gentoo.org`

1

-----BEGIN PGP SIGNED MESSAGE-----

2

Hash: SHA1

3

4

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

5

Gentoo Linux Security Advisory                           GLSA 200408-02

6

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

7

                                            http://security.gentoo.org/

8

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

9

10

  Severity: Normal

11

     Title: Courier: Cross-site scripting vulnerability in SqWebMail

12

      Date: August 04, 2004

13

      Bugs: #58020

14

        ID: 200408-02

15

16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

17

18

Synopsis

19

========

20

21

The SqWebMail web application, included in the Courier suite, is

22

vulnerable to cross-site scripting attacks.

23

24

Background

25

==========

26

27

Courier is an integrated mail and groupware server based on open

28

protocols. It provides ESMTP, IMAP, POP3, webmail, and mailing list

29

services within a single framework. The webmail functionality included

30

in Courier called SqWebMail allows you to access mailboxes from a web

31

browser.

32

33

Affected packages

34

=================

35

36

    -------------------------------------------------------------------

37

     Package           /   Vulnerable   /                  Unaffected

38

    -------------------------------------------------------------------

39

  1  mail-mta/courier       <= 0.45.6              >= 0.45.6.20040618

40

41

Description

42

===========

43

44

Luca Legato found that SqWebMail is vulnerable to a cross-site

45

scripting (XSS) attack. An XSS attack allows an attacker to insert

46

malicious code into a web-based application. SqWebMail doesn't filter

47

appropriately data coming from message headers before displaying them.

48

49

Impact

50

======

51

52

By sending a carefully crafted message, an attacker can inject and

53

execute script code in the victim's browser window. This allows to

54

modify the behaviour of the SqWebMail application, and/or leak session

55

information such as cookies to the attacker.

56

57

Workaround

58

==========

59

60

There is no known workaround at this time. All users are encouraged to

61

upgrade to the latest available version of Courier.

62

63

Resolution

64

==========

65

66

All Courier users should upgrade to the latest version:

67

68

    # emerge sync

69

70

    # emerge -pv ">=mail-mta/courier-0.45.6.20040618"

71

    # emerge ">=mail-mta/courier-0.45.6.20040618"

72

73

References

74

==========

75

76

  [ 1 ] CAN-2004-0591

77

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0591

78

  [ 2 ] XSS definition

79

        http://www.cert.org/advisories/CA-2000-02.html

80

81

Availability

82

============

83

84

This GLSA and any updates to it are available for viewing at

85

the Gentoo Security Website:

86

87

    http://security.gentoo.org/glsa/glsa-200408-02.xml

88

89

Concerns?

90

=========

91

92

Security is a primary focus of Gentoo Linux and ensuring the

93

confidentiality and security of our users machines is of utmost

94

importance to us. Any security concerns should be addressed to

95

security@g.o or alternatively, you may file a bug at

96

http://bugs.gentoo.org.

97

98

License

99

=======

100

101

Copyright 2004 Gentoo Foundation, Inc; referenced text

102

belongs to its owner(s).

103

104

The contents of this document are licensed under the

105

Creative Commons - Attribution / Share Alike license.

106

107

http://creativecommons.org/licenses/by-sa/1.0

108

109

-----BEGIN PGP SIGNATURE-----

110

Version: GnuPG v1.2.4 (GNU/Linux)

111

Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

112

113

iD8DBQFBEQXovcL1obalX08RAqg6AJ9GN2Cp6GME/aZSGSAKW27WosrGfACfYga2

114

Cwss+8VoQYFfibga3lkffy8=

115

=Tyco

116

-----END PGP SIGNATURE-----

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5	Gentoo Linux Security Advisory GLSA 200408-02
6	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7	http://security.gentoo.org/
8	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10	Severity: Normal
11	Title: Courier: Cross-site scripting vulnerability in SqWebMail
12	Date: August 04, 2004
13	Bugs: #58020
14	ID: 200408-02
15
16	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18	Synopsis
19	========
20
21	The SqWebMail web application, included in the Courier suite, is
22	vulnerable to cross-site scripting attacks.
23
24	Background
25	==========
26
27	Courier is an integrated mail and groupware server based on open
28	protocols. It provides ESMTP, IMAP, POP3, webmail, and mailing list
29	services within a single framework. The webmail functionality included
30	in Courier called SqWebMail allows you to access mailboxes from a web
31	browser.
32
33	Affected packages
34	=================
35
36	-------------------------------------------------------------------
37	Package / Vulnerable / Unaffected
38	-------------------------------------------------------------------
39	1 mail-mta/courier <= 0.45.6 >= 0.45.6.20040618
40
41	Description
42	===========
43
44	Luca Legato found that SqWebMail is vulnerable to a cross-site
45	scripting (XSS) attack. An XSS attack allows an attacker to insert
46	malicious code into a web-based application. SqWebMail doesn't filter
47	appropriately data coming from message headers before displaying them.
48
49	Impact
50	======
51
52	By sending a carefully crafted message, an attacker can inject and
53	execute script code in the victim's browser window. This allows to
54	modify the behaviour of the SqWebMail application, and/or leak session
55	information such as cookies to the attacker.
56
57	Workaround
58	==========
59
60	There is no known workaround at this time. All users are encouraged to
61	upgrade to the latest available version of Courier.
62
63	Resolution
64	==========
65
66	All Courier users should upgrade to the latest version:
67
68	# emerge sync
69
70	# emerge -pv ">=mail-mta/courier-0.45.6.20040618"
71	# emerge ">=mail-mta/courier-0.45.6.20040618"
72
73	References
74	==========
75
76	[ 1 ] CAN-2004-0591
77	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0591
78	[ 2 ] XSS definition
79	http://www.cert.org/advisories/CA-2000-02.html
80
81	Availability
82	============
83
84	This GLSA and any updates to it are available for viewing at
85	the Gentoo Security Website:
86
87	http://security.gentoo.org/glsa/glsa-200408-02.xml
88
89	Concerns?
90	=========
91
92	Security is a primary focus of Gentoo Linux and ensuring the
93	confidentiality and security of our users machines is of utmost
94	importance to us. Any security concerns should be addressed to
95	security@g.o or alternatively, you may file a bug at
96	http://bugs.gentoo.org.
97
98	License
99	=======
100
101	Copyright 2004 Gentoo Foundation, Inc; referenced text
102	belongs to its owner(s).
103
104	The contents of this document are licensed under the
105	Creative Commons - Attribution / Share Alike license.
106
107	http://creativecommons.org/licenses/by-sa/1.0
108
109	-----BEGIN PGP SIGNATURE-----
110	Version: GnuPG v1.2.4 (GNU/Linux)
111	Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
112
113	iD8DBQFBEQXovcL1obalX08RAqg6AJ9GN2Cp6GME/aZSGSAKW27WosrGfACfYga2
114	Cwss+8VoQYFfibga3lkffy8=
115	=Tyco
116	-----END PGP SIGNATURE-----

Gentoo Archives: gentoo-announce