FreeBSD : squirrelmail -- _$POST variable handling allows for various attacks (7d52081f-2795-11da-bc01-000e0c2e438a)

This script is Copyright (C) 2006-2016 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing one or more security-related
updates.

Description :

A Squirrelmail Advisory reports :

An extract($_POST) was done in options_identities.php which allowed
for an attacker to set random variables in that file. This could lead
to the reading (and possible writing) of other people's preferences,
cross site scripting or writing files in webserver-writable locations.

See also :

http://www.squirrelmail.org/security/issue/2005-07-13
http://www.nessus.org/u?69b57df4

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 3.7
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 21456 (freebsd_pkg_7d52081f279511dabc01000e0c2e438a.nasl)

Bugtraq ID: 14254

CVE ID: CVE-2005-2095

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now