How to Buy
This script is Copyright (C) 2012-2014 Tenable Network Security, Inc.
The remote Scientific Linux host is missing a security update.
A server-side code injection flaw was found in the SquirrelMail
'map_yp_alias' function. If SquirrelMail was configured to retrieve a
user's IMAP server address from a Network Information Service (NIS)
server via the 'map_yp_alias' function, an unauthenticated, remote
attacker using a specially crafted username could use this flaw to
execute arbitrary code with the privileges of the web server.
Multiple cross-site scripting (XSS) flaws were found in SquirrelMail.
An attacker could construct a carefully crafted URL, which once
visited by an unsuspecting user, could cause the user's web browser to
execute malicious script in the context of the visited SquirrelMail
web page. (CVE-2009-1578)
It was discovered that SquirrelMail did not properly sanitize
Cascading Style Sheets (CSS) directives used in HTML mail. A remote
attacker could send a specially crafted email that could place mail
content above SquirrelMail's controls, possibly allowing phishing and
cross-site scripting attacks. (CVE-2009-1581)
See also :
Update the affected squirrelmail package.
Risk factor :
Medium / CVSS Base Score : 6.8
Public Exploit Available : true
Family: Scientific Linux Local Security Checks
Nessus Plugin ID: 60590 ()
CVE ID: CVE-2009-1578CVE-2009-1579CVE-2009-1581
Nessus Professional: Scan unlimited IPs, run compliance checks & moreNessus Cloud: The power of Nessus for teams – from the cloud
The cookie settings on this website are set to 'allow all cookies' to give you the very best website experience. If you continue without changing these settings, you consent to this - but if you want, you can opt out of all cookies by clicking below.