Debian DSA-756-1 : squirrelmail - several vulnerabilities

medium Nessus Plugin ID 19196

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities have been discovered in Squirrelmail, a commonly used webmail system. The Common Vulnerabilities and Exposures project identifies the following problems :

- CAN-2005-1769 Martijn Brinkers discovered cross-site scripting vulnerabilities that allow remote attackers to inject arbitrary web script or HTML in the URL and e-mail messages.

- CAN-2005-2095

James Bercegay of GulfTech Security discovered a vulnerability in the variable handling which could lead to attackers altering other people's preferences and possibly reading them, writing files at any location writable for www-data and cross site scripting.

Solution

Upgrade the squirrelmail package.

For the old stable distribution (woody) these problems have been fixed in version 1.2.6-4.

For the stable distribution (sarge) these problems have been fixed in version 1.4.4-6sarge1.

See Also

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314374

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=317094

http://www.debian.org/security/2005/dsa-756

Plugin Details

Severity: Medium

ID: 19196

File Name: debian_DSA-756.nasl

Version: 1.19

Type: local

Agent: unix

Published: 7/14/2005

Updated: 1/4/2021

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.0

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:squirrelmail, cpe:/o:debian:debian_linux:3.0, cpe:/o:debian:debian_linux:3.1

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 7/13/2005

Vulnerability Publication Date: 6/15/2005

Reference Information

CVE: CVE-2005-1769, CVE-2005-2095

DSA: 756