|
Family: Debian Local Security Checks --> Category: infos
[DSA1241] DSA-1241-1 squirrelmail Vulnerability Scan
Vulnerability Scan Summary DSA-1241-1 squirrelmail
Detailed Explanation for this Vulnerability Test
Martijn Brinkers discovered cross-site scripting vulnerabilities in
the mailto parameter of webmail.php, the session and delete_draft
parameters of compose.php and through a shortcoming in the magicHTML
filter. A possible hacker could abuse these to execute malicious JavaScript in
the user's webmail session.
Also, a workaround was made for Internet Explorer <= 5: IE will attempt
to guess the MIME type of attachments based on content, not the MIME
header sent. Attachments could fake to be a 'harmless' JPEG, while they
were in fact HTML that Internet Explorer would render.
For the stable distribution (sarge) these problems have been fixed in
version 2:1.4.4-10.
For the upcoming stable distribution (etch) these problems have been fixed
in version 2:1.4.9a-1.
For the unstable distribution (sid) these problems have been fixed in
version 2:1.4.9a-1.
We recommend that you upgrade your squirrelmail package.
Solution : http://www.debian.org/security/2006/dsa-1241
Threat Level: High
Click HERE for more information and discussions on this network vulnerability scan.
|