RHEL 3 : squirrelmail (RHSA-2004:654)

medium Nessus Plugin ID 16053

Synopsis

The remote Red Hat host is missing a security update.

Description

An updated SquirrelMail package that fixes a cross-site scripting vulnerability is now available.

SquirrelMail is a webmail package written in PHP.

A cross-site scripting bug has been found in SquirrelMail. This issue could allow an attacker to send a mail with a carefully crafted header, which could result in causing the victim's machine to execute a malicious script. The Common Vulnerabilities and Exposures project has assigned the name CVE-2004-1036 to this issue.

Additionally, the following issues have been addressed :

- updated splash screens - HIGASHIYAMA Masato's patch to improve Japanese support - real 1.4.3a tarball - config_local.php and default_pref in /etc/squirrelmail/ to match upstream RPM.

Please note that it is possible that upgrading to this package may remove your SquirrelMail configuration files due to a bug in the RPM package. Upgrading will prevent this from happening in the future.

Users of SquirrelMail are advised to upgrade to this updated package which contains a patched version of SquirrelMail version 1.43a and is not vulnerable to these issues.

Solution

Update the affected squirrelmail package.

See Also

https://access.redhat.com/security/cve/cve-2004-1036

https://access.redhat.com/errata/RHSA-2004:654

Plugin Details

Severity: Medium

ID: 16053

File Name: redhat-RHSA-2004-654.nasl

Version: 1.25

Type: local

Agent: unix

Published: 12/27/2004

Updated: 1/14/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:squirrelmail, cpe:/o:redhat:enterprise_linux:3

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Patch Publication Date: 12/23/2004

Vulnerability Publication Date: 3/1/2005

Reference Information

CVE: CVE-2004-1036

RHSA: 2004:654