CentOS 3 / 4 / 5 : squirrelmail (CESA-2009:0057)

Medium Nessus Plugin ID 35424

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 5.9

Synopsis

The remote CentOS host is missing a security update.

Description

An updated squirrelmail package that fixes a security issue is now available for Red Hat Enterprise Linux 3, 4 and 5.

This update has been rated as having important security impact by the Red Hat Security Response Team.

SquirrelMail is an easy-to-configure, standards-based, webmail package written in PHP. It includes built-in PHP support for the IMAP and SMTP protocols, and pure HTML 4.0 page-rendering (with no JavaScript required) for maximum browser-compatibility, strong MIME support, address books, and folder manipulation.

The Red Hat SquirrelMail packages provided by the RHSA-2009:0010 advisory introduced a session handling flaw. Users who logged back into SquirrelMail without restarting their web browsers were assigned fixed session identifiers. A remote attacker could make use of that flaw to hijack user sessions. (CVE-2009-0030)

SquirrelMail users should upgrade to this updated package, which contains a patch to correct this issue. As well, all users who used affected versions of SquirrelMail should review their preferences.

Solution

Update the affected squirrelmail package.

See Also

http://www.nessus.org/u?a868e48a

http://www.nessus.org/u?fa401b2a

http://www.nessus.org/u?63a8621c

http://www.nessus.org/u?9ddebb73

http://www.nessus.org/u?3b94db27

http://www.nessus.org/u?b2516b23

Plugin Details

Severity: Medium

ID: 35424

File Name: centos_RHSA-2009-0057.nasl

Version: 1.17

Type: local

Agent: unix

Published: 2009/01/20

Updated: 2019/10/25

Dependencies: 12634

Risk Information

Risk Factor: Medium

VPR Score: 5.9

CVSS v2.0

Base Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:centos:centos:squirrelmail, cpe:/o:centos:centos:3, cpe:/o:centos:centos:4, cpe:/o:centos:centos:5

Required KB Items: Host/local_checks_enabled, Host/CentOS/release, Host/CentOS/rpm-list

Patch Publication Date: 2009/01/19

Vulnerability Publication Date: 2009/01/21

Reference Information

CVE: CVE-2009-0030, CVE-2009-1580

RHSA: 2009:0057

CWE: 287