GLSA-200405-16 : Multiple XSS Vulnerabilities in SquirrelMail
Critical Nessus Plugin ID 14502
SynopsisThe remote Gentoo host is missing one or more security-related patches.
DescriptionThe remote host is affected by the vulnerability described in GLSA-200405-16 (Multiple XSS Vulnerabilities in SquirrelMail)
Several unspecified cross-site scripting (XSS) vulnerabilities and a well-hidden SQL injection vulnerability were found. An XSS attack allows an attacker to insert malicious code into a web-based application. SquirrelMail does not check for code when parsing variables received via the URL query string.
One of the XSS vulnerabilities could be exploited by an attacker to steal cookie-based authentication credentials from the user's browser.
The SQL injection issue could potentially be used by an attacker to run arbitrary SQL commands inside the SquirrelMail database with privileges of the SquirrelMail database user.
There is no known workaround at this time. All users are advised to upgrade to version 1.4.3_rc1 or higher of SquirrelMail.
SolutionAll SquirrelMail users should upgrade to the latest stable version:
# emerge sync # emerge -pv '>=mail-client/squirrelmail-1.4.3_rc1' # emerge '>=mail-client/squirrelmail-1.4.3_rc1'