|
Family: CGI abuses --> Category: attack
SquirrelMail base_uri Parameter Information Disclosure Vulnerability Vulnerability Scan
Vulnerability Scan Summary Tries to change path parameter used by SquirrelMail cookies
Detailed Explanation for this Vulnerability Test
Synopsis :
The remote web server contains a PHP script that is affected by an
information disclosure issue.
Description :
The version of SquirrelMail installed on the remote fails to check the
origin of the 'base_uri' parameter in the 'functions/strings.php'
script before using it to set the path for its cookies. A possible hacker
may be able to leverage this issue to steal cookies associated with
the affected application provided he has control of a malicious site
within the same domain and PHP's 'register_globals' setting is
enabled.
See also :
http://www.squirrelmail.org/changelog.php
Solution :
Disable PHP's 'register_globals' setting or upgrade to SquirrelMail
1.4.7-CVS or later.
Threat Level:
Low / CVSS Base Score : 1.9
(AV:R/AC:H/Au:NR/C:P/I:N/A:N/B:N)
Click HERE for more information and discussions on this network vulnerability scan.
|