Debian DSA-662-2 : squirrelmail - several vulnerabilities

high Nessus Plugin ID 16283

Synopsis

The remote Debian host is missing a security-related update.

Description

Andrew Archibald discovered that the last update to squirrelmail which was intended to fix several problems caused a regression which got exposed when the user hits a session timeout. For completeness below is the original advisory text :

Several vulnerabilities have been discovered in Squirrelmail, a commonly used webmail system. The Common Vulnerabilities and Exposures project identifies the following problems :

- CAN-2005-0104 Upstream developers noticed that an unsanitised variable could lead to cross site scripting.

- CAN-2005-0152

Grant Hollingworth discovered that under certain circumstances URL manipulation could lead to the execution of arbitrary code with the privileges of www-data. This problem only exists in version 1.2.6 of Squirrelmail.

Solution

Upgrade the squirrelmail package.

For the stable distribution (woody) these problems have been fixed in version 1.2.6-3.

See Also

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=292714

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=295836

http://www.debian.org/security/2005/dsa-662

Plugin Details

Severity: High

ID: 16283

File Name: debian_DSA-662.nasl

Version: 1.23

Type: local

Agent: unix

Published: 2/2/2005

Updated: 1/4/2021

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.5

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:squirrelmail, cpe:/o:debian:debian_linux:3.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 3/14/2005

Vulnerability Publication Date: 1/20/2005

Reference Information

CVE: CVE-2005-0104, CVE-2005-0152

DSA: 662