RHSA-2009:1066: Important: squirrelmail security update

First published: Tue May 26 2009(Updated: )

SquirrelMail is a standards-based webmail package written in PHP.<br>A server-side code injection flaw was found in the SquirrelMail<br>"map_yp_alias" function. If SquirrelMail was configured to retrieve a<br>user's IMAP server address from a Network Information Service (NIS) server<br>via the "map_yp_alias" function, an unauthenticated, remote attacker using<br>a specially-crafted username could use this flaw to execute arbitrary code<br>with the privileges of the web server. (CVE-2009-1579)<br>Multiple cross-site scripting (XSS) flaws were found in SquirrelMail. An<br>attacker could construct a carefully crafted URL, which once visited by an <br>unsuspecting user, could cause the user's web browser to execute malicious<br>script in the context of the visited SquirrelMail web page. (CVE-2009-1578)<br>It was discovered that SquirrelMail did not properly sanitize Cascading<br>Style Sheets (CSS) directives used in HTML mail. A remote attacker could<br>send a specially-crafted email that could place mail content above<br>SquirrelMail's controls, possibly allowing phishing and cross-site<br>scripting attacks. (CVE-2009-1581)<br>Users of squirrelmail should upgrade to this updated package, which<br>contains backported patches to correct these issues.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/description
• agent/event
• agent/first-publish-date
• agent/last-modified-date
• agent/references
• agent/remedy
• agent/severity
• agent/softwarecombine
• agent/tags
• agent/title
• agent/type
• agent/weakness
• collector/redhat-errata
• source/Red Hat
• anchor-id/RHSA-2009:1066
• agent/software-canonical-lookup
• package-manager/redhat