Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.

The remote Oracle Linux 5 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2009-0010 advisory.

    - Resolves: CVE-2008-2379
    - Resolves: CVE-2008-3663, #468398

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Ivan Markovic discovered a cross-site scripting (XSS) flaw in SquirrelMail caused by insufficient HTML mail sanitization. A remote attacker could send a specially crafted HTML mail or attachment that could cause a user's Web browser to execute a malicious script in the context of the SquirrelMail session when that email or attachment was opened by the user. (CVE-2008-2379)

It was discovered that SquirrelMail allowed cookies over insecure connections (ie did not restrict cookies to HTTPS connections). An attacker who controlled the communication channel between a user and the SquirrelMail server, or who was able to sniff the user's network communication, could use this flaw to obtain the user's session cookie, if a user made an HTTP request to the server. (CVE-2008-3663)

Note: After applying this update, all session cookies set for SquirrelMail sessions started over HTTPS connections will have the 'secure' flag set. That is, browsers will only send such cookies over an HTTPS connection. If needed, you can revert to the previous behavior by setting the configuration option '$only_secure_cookies' to 'false' in SquirrelMail's /etc/squirrelmail/config.php configuration file.

The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have Security Update 2009-001 applied.

This security update contains fixes for the following products :

  - AFP Server
  - Apple Pixlet Video
  - CarbonCore
  - CFNetwork
  - Certificate Assistant
  - ClamAV
  - CoreText
  - CUPS
  - DS Tools
  - fetchmail
  - Folder Manager
  - FSEvents
  - Network Time
  - perl
  - Printing
  - python
  - Remote Apple Events
  - Safari RSS
  - servermgrd
  - SMB
  - SquirrelMail
  - X11
  - XTerm

The version of SquirrelMail installed on the remote host does not set the 'secure' flag for session cookies established when communicating over SSL / TLS.  This could lead to disclosure of those cookies if a user issues a request to a host in the same domain over HTTP (as opposed to HTTPS).

This update of squirrelmail corrects a problem introduced by a patch for CVE-2008-3663 that caused cookies to be static. (CVE-2009-0030)

The remote Redhat Enterprise Linux 4 / 5 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2009:0010 advisory.

    SquirrelMail is an easy-to-configure, standards-based, webmail package     written in PHP. It includes built-in PHP support for the IMAP and SMTP     protocols, and pure HTML 4.0 page-rendering (with no JavaScript required)     for maximum browser-compatibility, strong MIME support, address books, and     folder manipulation.

    Ivan Markovic discovered a cross-site scripting (XSS) flaw in SquirrelMail     caused by insufficient HTML mail sanitization. A remote attacker could send     a specially-crafted HTML mail or attachment that could cause a user's Web     browser to execute a malicious script in the context of the SquirrelMail     session when that email or attachment was opened by the user.
    (CVE-2008-2379)

    It was discovered that SquirrelMail allowed cookies over insecure     connections (ie did not restrict cookies to HTTPS connections). An attacker     who controlled the communication channel between a user and the     SquirrelMail server, or who was able to sniff the user's network     communication, could use this flaw to obtain the user's session cookie, if     a user made an HTTP request to the server. (CVE-2008-3663)

    Note: After applying this update, all session cookies set for SquirrelMail     sessions started over HTTPS connections will have the secure flag set.
    That is, browsers will only send such cookies over an HTTPS connection. If     needed, you can revert to the previous behavior by setting the     configuration option $only_secure_cookies to false in SquirrelMail's     /etc/squirrelmail/config.php configuration file.

    Users of squirrelmail should upgrade to this updated package, which     contains backported patches to correct these issues.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An updated squirrelmail package that resolves various security issues is now available for Red Hat Enterprise Linux 3, 4 and 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

SquirrelMail is an easy-to-configure, standards-based, webmail package written in PHP. It includes built-in PHP support for the IMAP and SMTP protocols, and pure HTML 4.0 page-rendering (with no JavaScript required) for maximum browser-compatibility, strong MIME support, address books, and folder manipulation.

Ivan Markovic discovered a cross-site scripting (XSS) flaw in SquirrelMail caused by insufficient HTML mail sanitization. A remote attacker could send a specially crafted HTML mail or attachment that could cause a user's Web browser to execute a malicious script in the context of the SquirrelMail session when that email or attachment was opened by the user. (CVE-2008-2379)

It was discovered that SquirrelMail allowed cookies over insecure connections (ie did not restrict cookies to HTTPS connections). An attacker who controlled the communication channel between a user and the SquirrelMail server, or who was able to sniff the user's network communication, could use this flaw to obtain the user's session cookie, if a user made an HTTP request to the server. (CVE-2008-3663)

Note: After applying this update, all session cookies set for SquirrelMail sessions started over HTTPS connections will have the 'secure' flag set. That is, browsers will only send such cookies over an HTTPS connection. If needed, you can revert to the previous behavior by setting the configuration option '$only_secure_cookies' to 'false' in SquirrelMail's /etc/squirrelmail/config.php configuration file.

Users of squirrelmail should upgrade to this updated package, which contains backported patches to correct these issues.

Squirrelmail was updated to use the secure flag for its cookies.
Otherwise it was possible to hijack a SSL-protected session via leaked cookies. (CVE-2008-3663)

The previous update for the problem above contained a typo which broke squirrelmail.

Squirrelmail was updated to use the secure flag for its cookies.
Otherwise it was possible to hijack a SSL-protected session via leaked cookies. (CVE-2008-3663)

update to 1.4.16 fixes CVE-2008-3663

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

rebase to 1.4.16

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Hanno Boeck reports :

When configuring a web application to use only ssl (e.g. by forwarding all http-requests to https), a user would expect that sniffing and hijacking the session is impossible.

Though, for this to be secure, one needs to set the session cookie to have the secure flag. Otherwise the cookie will be transferred through HTTP if the victim's browser does a single HTTP request on the same domain.

Squirrelmail does not set that flag. It is fixed in the 1.5 test versions, but current 1.4.15 is vulnerable.

ID	Name	Product	Family	Severity
67786	Oracle Linux 5 : squirrelmail (ELSA-2009-0010)	Nessus	Oracle Linux Local Security Checks	medium
60519	Scientific Linux Security Update : squirrelmail on SL3.x, SL4.x, SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
35684	Mac OS X Multiple Vulnerabilities (Security Update 2009-001)	Nessus	MacOS X Local Security Checks	critical
35661	SquirrelMail HTTPS Session Cookie Secure Flag Weakness	Nessus	CGI abuses	medium
35598	openSUSE 10 Security Update : squirrelmail (squirrelmail-5978)	Nessus	SuSE Local Security Checks	medium
35357	RHEL 4 / 5 : squirrelmail (RHSA-2009:0010)	Nessus	Red Hat Local Security Checks	medium
35353	CentOS 3 / 4 / 5 : squirrelmail (CESA-2009:0010)	Nessus	CentOS Local Security Checks	medium
34848	openSUSE 10 Security Update : squirrelmail (squirrelmail-5792)	Nessus	SuSE Local Security Checks	medium
34814	openSUSE 10 Security Update : squirrelmail (squirrelmail-5778)	Nessus	SuSE Local Security Checks	medium
34493	Fedora 8 : squirrelmail-1.4.16-1.fc8 (2008-9071)	Nessus	Fedora Local Security Checks	medium
34479	Fedora 9 : squirrelmail-1.4.16-1.fc9 (2008-8559)	Nessus	Fedora Local Security Checks	medium
34271	FreeBSD : squirrelmail -- Session hijacking vulnerability (a0afb4b9-89a1-11dd-a65b-00163e000016)	Nessus	FreeBSD Local Security Checks	medium

Detections

Analytics

CVE-2008-3663

medium

Tenable Plugins

medium

medium

critical

medium

medium

medium

medium

medium

medium

medium

medium

medium