|
Family: Gentoo Local Security Checks --> Category: infos
[GLSA-200405-16] Multiple XSS Vulnerabilities in SquirrelMail Vulnerability Scan
Vulnerability Scan Summary Multiple XSS Vulnerabilities in SquirrelMail
Detailed Explanation for this Vulnerability Test
The remote host is affected by the vulnerability described in GLSA-200405-16
(Multiple XSS Vulnerabilities in SquirrelMail)
Several unspecified cross-site scripting (XSS) vulnerabilities and a well
hidden SQL injection vulnerability were found. An XSS attack allows an
attacker to insert malicious code into a web-based application.
SquirrelMail does not check for code when parsing variables received via
the URL query string.
Impact
One of the XSS vulnerabilities could be exploited by a possible hacker to steal
cookie-based authentication credentials from the user's browser. The SQL
injection issue could potentially be used by a possible hacker to run arbitrary
SQL commands inside the SquirrelMail database with rights of the
SquirrelMail database user.
Workaround
There is no known workaround at this time. All users are advised to upgrade
to version 1.4.3_rc1 or higher of SquirrelMail.
References:
http://sourceforge.net/mailarchive/forum.php?thread_id=4199060&forum_id=1988
http://www.securityfocus.com/bid/10246/
http://www.cert.org/advisories/CA-2000-02.html
Solution:
All SquirrelMail users should upgrade to the latest stable version:
# emerge sync
# emerge -pv ">=net-mail/squirrelmail-1.4.3_rc1"
# emerge ">=net-mail/squirrelmail-1.4.3_rc1"
Threat Level: Medium
Click HERE for more information and discussions on this network vulnerability scan.
|