Rapid7 Vulnerability & Exploit Database

CESA-2005:099: squirrelmail security update

Back to Search

CESA-2005:099: squirrelmail security update

Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
01/24/2005
Created
07/25/2018
Added
03/12/2010
Modified
07/04/2017

Description

An updated Squirrelmail package that fixes several security issues is now available for CentOS Linux 4. This update has been rated as having moderate security impact by the CentOS Security Response Team.

SquirrelMail is a standards-based webmail package written in PHP4. Jimmy Conner discovered a missing variable initialization in Squirrelmail. This flaw could allow potential insecure file inclusions on servers where the PHP setting "register_globals" is set to "On". This is not a default or recommended setting. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0075 to this issue. A URL sanitisation bug was found in Squirrelmail. This flaw could allow a cross site scripting attack when loading the URL for the sidebar. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0103 to this issue. A missing variable initialization bug was found in Squirrelmail. This flaw could allow a cross site scripting attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0104 to this issue. Users of Squirrelmail are advised to upgrade to this updated package, which contains backported patches to correct these issues.

Solution(s)

  • centos-upgrade-squirrelmail

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;