SquirrelMail < 1.2.11 Multiple Script XSS

medium Nessus Plugin ID 14217

Synopsis

The remote host has an application that is affected by multiple cross-site scripting vulnerabilities.

Description

The target is running at least one instance of SquirrelMail whose version number is between 1.2.0 and 1.2.10 inclusive. Such versions do not properly sanitize From headers, leaving users vulnerable to XSS attacks. Further, since SquirrelMail displays From headers when listing a folder, attacks does not require a user to actually open a message, only view the folder listing.

For example, a remote attacker could effectively launch a DoS against a user by sending a message with a From header such as :

From:<!--<>(-->John Doe<script>document.cookie='PHPSESSID=xxx; path=/';</script><>

which rewrites the session ID cookie and effectively logs the user out.

***** Nessus has determined the vulnerability exists on the target
***** simply by looking at the version number(s) of Squirrelmail
***** installed there.

Solution

Upgrade to SquirrelMail 1.2.11 or later or wrap the call to sqimap_find_displayable_name in printMessageInfo in functions/mailbox_display.php with a call to htmlentities.

Plugin Details

Severity: Medium

ID: 14217

File Name: squirrelmail_html_injection_vuln.nasl

Version: 1.27

Type: remote

Published: 8/6/2004

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.5

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: cpe:/a:squirrelmail:squirrelmail

Required KB Items: www/squirrelmail

Exploit Ease: No exploit is required

Vulnerability Publication Date: 5/29/2004

Reference Information

CVE: CVE-2004-0639

BID: 10450

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990