RHSA-2009:0010: Moderate: squirrelmail security update
First published: Mon Jan 12 2009(Updated: )
SquirrelMail is an easy-to-configure, standards-based, webmail package<br>written in PHP. It includes built-in PHP support for the IMAP and SMTP<br>protocols, and pure HTML 4.0 page-rendering (with no JavaScript required)<br>for maximum browser-compatibility, strong MIME support, address books, and<br>folder manipulation.<br>Ivan Markovic discovered a cross-site scripting (XSS) flaw in SquirrelMail<br>caused by insufficient HTML mail sanitization. A remote attacker could send<br>a specially-crafted HTML mail or attachment that could cause a user's Web<br>browser to execute a malicious script in the context of the SquirrelMail<br>session when that email or attachment was opened by the user.<br>(CVE-2008-2379)<br>It was discovered that SquirrelMail allowed cookies over insecure<br>connections (ie did not restrict cookies to HTTPS connections). An attacker<br>who controlled the communication channel between a user and the<br>SquirrelMail server, or who was able to sniff the user's network<br>communication, could use this flaw to obtain the user's session cookie, if<br>a user made an HTTP request to the server. (CVE-2008-3663)<br>Note: After applying this update, all session cookies set for SquirrelMail<br>sessions started over HTTPS connections will have the "secure" flag set.<br>That is, browsers will only send such cookies over an HTTPS connection. If<br>needed, you can revert to the previous behavior by setting the<br>configuration option "$only_secure_cookies" to "false" in SquirrelMail's<br>/etc/squirrelmail/config.php configuration file.<br>Users of squirrelmail should upgrade to this updated package, which<br>contains backported patches to correct these issues.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/squirrelmail | <1.4.8-5.el5_2.2 | 1.4.8-5.el5_2.2 |
| redhat/squirrelmail | <1.4.8-5.el5_2.2 | 1.4.8-5.el5_2.2 |
| redhat/squirrelmail | <1.4.8-5.el4_7.2 | 1.4.8-5.el4_7.2 |
| redhat/squirrelmail | <1.4.8-5.el4_7.2 | 1.4.8-5.el4_7.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=464183
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=473877
- http://www.redhat.com/security/updates/classification/#moderate
- http://www.squirrelmail.org/security/issue/2008-09-28
- http://www.squirrelmail.org/security/issue/2008-12-04
- https://access.redhat.com/errata/RHSA-2009:0010 (Advisory)
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- agent/weakness
- collector/redhat-errata
- source/Red Hat
- anchor-id/RHSA-2009:0010
- agent/software-canonical-lookup
- package-manager/redhat