RHEL 3 / 4 / 5 : squirrelmail (RHSA-2009:0057)

Medium Nessus Plugin ID 35429

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 5.9


The remote Red Hat host is missing a security update.


An updated squirrelmail package that fixes a security issue is now available for Red Hat Enterprise Linux 3, 4 and 5.

This update has been rated as having important security impact by the Red Hat Security Response Team.

SquirrelMail is an easy-to-configure, standards-based, webmail package written in PHP. It includes built-in PHP support for the IMAP and SMTP protocols, and pure HTML 4.0 page-rendering (with no JavaScript required) for maximum browser-compatibility, strong MIME support, address books, and folder manipulation.

The Red Hat SquirrelMail packages provided by the RHSA-2009:0010 advisory introduced a session handling flaw. Users who logged back into SquirrelMail without restarting their web browsers were assigned fixed session identifiers. A remote attacker could make use of that flaw to hijack user sessions. (CVE-2009-0030)

SquirrelMail users should upgrade to this updated package, which contains a patch to correct this issue. As well, all users who used affected versions of SquirrelMail should review their preferences.


Update the affected squirrelmail package.

See Also




Plugin Details

Severity: Medium

ID: 35429

File Name: redhat-RHSA-2009-0057.nasl

Version: 1.24

Type: local

Agent: unix

Published: 2009/01/20

Updated: 2019/10/25

Dependencies: 12634

Risk Information

Risk Factor: Medium

VPR Score: 5.9

CVSS v2.0

Base Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:squirrelmail, cpe:/o:redhat:enterprise_linux:3, cpe:/o:redhat:enterprise_linux:4, cpe:/o:redhat:enterprise_linux:4.7, cpe:/o:redhat:enterprise_linux:5, cpe:/o:redhat:enterprise_linux:5.2

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Patch Publication Date: 2009/01/19

Vulnerability Publication Date: 2009/01/21

Reference Information

CVE: CVE-2009-0030, CVE-2009-1580

RHSA: 2009:0057

CWE: 287