RHEL 3 / 4 : squirrelmail (RHSA-2007:0022)

This script is Copyright (C) 2007-2014 Tenable Network Security, Inc.


Synopsis :

The remote Red Hat host is missing a security update.

Description :

A new squirrelmail package that fixes security issues is now available
for Red Hat Enterprise Linux 3 and 4.

SquirrelMail is a standards-based webmail package written in PHP.

Several cross-site scripting bugs were discovered in SquirrelMail. An
attacker could inject arbitrary JavaScript or HTML content into
SquirrelMail pages by tricking a user into visiting a carefully
crafted URL. (CVE-2006-6142)

Users of SquirrelMail should upgrade to this erratum package, which
contains a backported patch to correct these issues.

Notes: - After installing this update, users are advised to restart
their httpd service to ensure that the updated version functions
correctly. - config.php should NOT be modified, please modify
config_local.php instead. - Known Bug: The configuration generator may
potentially produce bad options that interfere with the operation of
this application. Applying specific config changes to config_local.php
manually is recommended.

See also :

https://www.redhat.com/security/data/cve/CVE-2006-6142.html
http://rhn.redhat.com/errata/RHSA-2007-0022.html

Solution :

Update the affected squirrelmail package.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

Family: Red Hat Local Security Checks

Nessus Plugin ID: 24317 ()

Bugtraq ID:

CVE ID: CVE-2006-6142