Debian: squirrelmail Multiple vulnerabilities

    Date11 Aug 2004
    CategoryDebian
    2377
    Posted ByLinuxSecurity Advisories
    This patch addresses multiple Cross Site Scripting and SQL Injection vulnerabilities.
    
    Debian Security Advisory DSA 535-1                     This email address is being protected from spambots. You need JavaScript enabled to view it. 
    http://www.debian.org/security/                             Matt Zimmerman
    August 2nd, 2004                         http://www.debian.org/security/faq
    - --------------------------------------------------------------------------
    
    Package        : squirrelmail
    Vulnerability  : several
    Problem-Type   : remote
    Debian-specific: no
    CVE Ids        : CAN-2004-0519 CAN-2004-0520 CAN-2004-0521 CAN-2004-0639
    
    Four vulnerabilities were discovered in squirrelmail:
    
     CAN-2004-0519 - Multiple cross-site scripting (XSS) vulnerabilities
     in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary
     script as other users and possibly steal authentication information
     via multiple attack vectors, including the mailbox parameter in
     compose.php.
    
     CAN-2004-0520 - Cross-site scripting (XSS) vulnerability in mime.php
     for SquirrelMail before 1.4.3 allows remote attackers to insert
     arbitrary HTML and script via the content-type mail header, as
     demonstrated using read_body.php.
    
     CAN-2004-0521 - SQL injection vulnerability in SquirrelMail before
     1.4.3 RC1 allows remote attackers to execute unauthorized SQL
     statements, with unknown impact, probably via abook_database.php.
    
     CAN-2004-0639 - Multiple cross-site scripting (XSS) vulnerabilities
     in Squirrelmail 1.2.10 and earlier allow remote attackers to inject
     arbitrary HTML or script via (1) the $mailer variable in
     read_body.php, (2) the $senderNames_part variable in
     mailbox_display.php, and possibly other vectors including (3) the
     $event_title variable or (4) the $event_text variable.
    
    For the current stable distribution (woody), these problems have been
    fixed in version 1:1.2.6-1.4.
    
    For the unstable distribution (sid), these problems have been fixed in
    2:1.4.3a-0.1 and earlier versions.
    
    We recommend that you update your squirrelmail package.
    
    Upgrade Instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    Debian GNU/Linux 3.0 alias woody
    - --------------------------------
    
      Source archives:
    
         http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-1.4.dsc
          Size/MD5 checksum:      586 9e3f6fb2b152cb6086be738abc5e1021
         http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-1.4.diff.gz
          Size/MD5 checksum:    20493 0f07dc4c32a8356344ba5f39d6c2373a
         http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6.orig.tar.gz
          Size/MD5 checksum:  1856087 be9e6be1de8d3dd818185d596b41a7f1
    
      Architecture independent components:
    
         http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-1.4_all.deb
          Size/MD5 checksum:  1840376 34057494a43f7a136276d821956e010a
    
      These files will probably be moved into the stable distribution on
      its next revision.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb  http://security.debian.org/ stable/updates main
    For dpkg-ftp:  ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and  http://packages.debian.org/
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"8","type":"x","order":"1","pct":57.14,"resources":[]},{"id":"88","title":"Should be more technical","votes":"3","type":"x","order":"2","pct":21.43,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"3","type":"x","order":"3","pct":21.43,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.