RHEL 3 : squirrelmail (RHSA-2004:654)

This script is Copyright (C) 2004-2014 Tenable Network Security, Inc.


Synopsis :

The remote Red Hat host is missing a security update.

Description :

An updated SquirrelMail package that fixes a cross-site scripting
vulnerability is now available.

SquirrelMail is a webmail package written in PHP.

A cross-site scripting bug has been found in SquirrelMail. This issue
could allow an attacker to send a mail with a carefully crafted
header, which could result in causing the victim's machine to execute
a malicious script. The Common Vulnerabilities and Exposures project
has assigned the name CVE-2004-1036 to this issue.

Additionally, the following issues have been addressed :

- updated splash screens - HIGASHIYAMA Masato's patch to
improve Japanese support - real 1.4.3a tarball -
config_local.php and default_pref in /etc/squirrelmail/
to match upstream RPM.

Please note that it is possible that upgrading to this package may
remove your SquirrelMail configuration files due to a bug in the RPM
package. Upgrading will prevent this from happening in the future.

Users of SquirrelMail are advised to upgrade to this updated package
which contains a patched version of SquirrelMail version 1.43a and is
not vulnerable to these issues.

See also :

https://www.redhat.com/security/data/cve/CVE-2004-1036.html
http://rhn.redhat.com/errata/RHSA-2004-654.html

Solution :

Update the affected squirrelmail package.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

Family: Red Hat Local Security Checks

Nessus Plugin ID: 16053 ()

Bugtraq ID:

CVE ID: CVE-2004-1036