Oracle Linux 3 / 4 : squirrelmail (ELSA-2007-0022)

This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.


Synopsis :

The remote Oracle Linux host is missing a security update.

Description :

From Red Hat Security Advisory 2007:0022 :

A new squirrelmail package that fixes security issues is now available
for Red Hat Enterprise Linux 3 and 4.

SquirrelMail is a standards-based webmail package written in PHP.

Several cross-site scripting bugs were discovered in SquirrelMail. An
attacker could inject arbitrary JavaScript or HTML content into
SquirrelMail pages by tricking a user into visiting a carefully
crafted URL. (CVE-2006-6142)

Users of SquirrelMail should upgrade to this erratum package, which
contains a backported patch to correct these issues.

Notes: - After installing this update, users are advised to restart
their httpd service to ensure that the updated version functions
correctly. - config.php should NOT be modified, please modify
config_local.php instead. - Known Bug: The configuration generator may
potentially produce bad options that interfere with the operation of
this application. Applying specific config changes to config_local.php
manually is recommended.

See also :

https://oss.oracle.com/pipermail/el-errata/2007-March/000104.html
https://oss.oracle.com/pipermail/el-errata/2007-February/000045.html

Solution :

Update the affected squirrelmail package.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

Family: Oracle Linux Local Security Checks

Nessus Plugin ID: 67442 ()

Bugtraq ID:

CVE ID: CVE-2006-6142