Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php.

Roman Medina-Heigl Hernandez did a survey which other webmail systems where vulnerable to a bug he discovered in SquirrelMail. This advisory summarizes the results.

Four vulnerabilities were discovered in squirrelmail :

  - CAN-2004-0519     Multiple cross-site scripting (XSS) vulnerabilities in     SquirrelMail 1.4.2 allow remote attackers to execute     arbitrary script as other users and possibly steal     authentication information via multiple attack vectors,     including the mailbox parameter in compose.php.

  - CAN-2004-0520

    Cross-site scripting (XSS) vulnerability in mime.php for     SquirrelMail before 1.4.3 allows remote attackers to     insert arbitrary HTML and script via the content-type     mail header, as demonstrated using read_body.php.

  - CAN-2004-0521

    SQL injection vulnerability in SquirrelMail before 1.4.3     RC1 allows remote attackers to execute unauthorized SQL     statements, with unknown impact, probably via     abook_database.php.

  - CAN-2004-0639

    Multiple cross-site scripting (XSS) vulnerabilities in     Squirrelmail 1.2.10 and earlier allow remote attackers     to inject arbitrary HTML or script via (1) the $mailer     variable in read_body.php, (2) the $senderNames_part     variable in mailbox_display.php, and possibly other     vectors including (3) the $event_title variable or (4)     the $event_text variable.

The remote host is affected by the vulnerability described in GLSA-200405-16 (Multiple XSS Vulnerabilities in SquirrelMail)

    Several unspecified cross-site scripting (XSS) vulnerabilities and a     well-hidden SQL injection vulnerability were found. An XSS attack     allows an attacker to insert malicious code into a web-based     application. SquirrelMail does not check for code when parsing     variables received via the URL query string.
  Impact :

    One of the XSS vulnerabilities could be exploited by an attacker to     steal cookie-based authentication credentials from the user's browser.
    The SQL injection issue could potentially be used by an attacker to run     arbitrary SQL commands inside the SquirrelMail database with privileges     of the SquirrelMail database user.
  Workaround :

    There is no known workaround at this time. All users are advised to     upgrade to version 1.4.3_rc1 or higher of SquirrelMail.

SquirrelMail is a web-based mail server.  There are several flaws in all versions prior to 1.4.3 that allow for remote cross-site scripting (XSS) attacks and SQL injection attacks.

A SQL injection flaw was found in SquirrelMail version 1.4.2 and earlier. If SquirrelMail is configured to store user addressbooks in the database, a remote attacker could use this flaw to execute arbitrary SQL statements. The Common Vulnerabilities and Exposures project has assigned the name CVE-2004-0521 to this issue.

A number of cross-site scripting (XSS) flaws in SquirrelMail version 1.4.2 and earlier could allow remote attackers to execute scripts as other web users. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0519 and CVE-2004-0520 to these issues.

This update includes the SquirrelMail version 1.4.3a which is not vulnerable to these issues.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An updated SquirrelMail package that fixes several security vulnerabilities is now available.

SquirrelMail is a webmail package written in PHP. Multiple vulnerabilities have been found which affect the version of SquirrelMail shipped with Red Hat Enterprise Linux 3.

A SQL injection flaw was found in SquirrelMail version 1.4.2 and earlier. If SquirrelMail is configured to store user addressbooks in the database, a remote attacker could use this flaw to execute arbitrary SQL statements. The Common Vulnerabilities and Exposures project has assigned the name CVE-2004-0521 to this issue.

A number of cross-site scripting (XSS) flaws in SquirrelMail version 1.4.2 and earlier could allow remote attackers to execute script as other web users. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0519 and CVE-2004-0520 to these issues.

All users of SquirrelMail are advised to upgrade to the erratum package containing SquirrelMail version 1.4.3a which is not vulnerable to these issues.

The remote host is running SquirrelMail, a web-based mail server.

There are several flaws in all versions less than 1.4.3 and development versions 1.5.0 and 1.5.1 that allow for local root access and remote cross-site scripting (XSS) attacks.

***** Nessus has determined the vulnerability exists on the target
***** simply by looking at the version number of Squirrelmail
***** installed there.

ID	Name	Product	Family	Severity
36521	FreeBSD : 'Content-Type' XSS vulnerability affecting other webmail systems (c5519420-cec2-11d8-8898-000d6111a684)	Nessus	FreeBSD Local Security Checks	medium
15372	Debian DSA-535-1 : squirrelmail - several vulnerabilities	Nessus	Debian Local Security Checks	critical
14502	GLSA-200405-16 : Multiple XSS Vulnerabilities in SquirrelMail	Nessus	Gentoo Local Security Checks	critical
1217	SquirrelMail < 1.4.3 Multiple Vulnerabilities	Nessus Network Monitor	CGI	critical
13716	Fedora Core 2 : squirrelmail-1.4.3-1 (2004-160)	Nessus	Fedora Local Security Checks	critical
12503	RHEL 3 : squirrelmail (RHSA-2004:240)	Nessus	Red Hat Local Security Checks	critical
14228	SquirrelMail < 1.4.3 Multiple Vulnerabilities	Nessus	CGI abuses	high

Detections

Analytics

CVE-2004-0519

medium

Tenable Plugins

medium

critical

critical

critical

critical

critical

high