[gentoo-announce] [ GLSA 201001-08 ] SquirrelMail: Multiple vulnerabilities

[news 28]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Gentoo Linux Security Advisory GLSA 201001-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

http://security.gentoo.org/

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

Severity: High

Title: SquirrelMail: Multiple vulnerabilities

Date: January 13, 2010

Bugs: #269567, #270671

ID: 201001-08

 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

Synopsis

========

 

Multiple vulnerabilities were found in SquirrelMail of which the worst

results in remote code execution.

 

Background

==========

 

SquirrelMail is a standards-based webmail package written in PHP.

 

Affected packages

=================

 

-------------------------------------------------------------------

Package / Vulnerable / Unaffected

-------------------------------------------------------------------

1 mail-client/squirrelmail < 1.4.19 >= 1.4.19

 

Description

===========

 

Multiple vulnerabilities were found in SquirrelMail:

 

* Niels Teusink reported multiple input sanitation flaws in certain

encrypted strings in e-mail headers, related to

contrib/decrypt_headers.php, PHP_SELF and the query string (aka

QUERY_STRING) (CVE-2009-1578).

 

* Niels Teusink also reported that the map_yp_alias() function in

functions/imap_general.php does not filter shell metacharacters in a

username and that the original patch was incomplete (CVE-2009-1381,

CVE-2009-1579).

 

* Tomas Hoger discovered an unspecified session fixation

vulnerability (CVE-2009-1580).

 

* Luc Beurton reported that functions/mime.php does not protect the

application's content from Cascading Style Sheets (CSS) positioning

in HTML e-mail messages (CVE-2009-1581).

 

Impact

======

 

The vulnerabilities allow remote attackers to execute arbitrary code

with the privileges of the user running the web server, to hijack web

sessions via a crafted cookie, to spoof the user interface and to

conduct Cross-Site Scripting and phishing attacks, via a specially

crafted message.

 

Workaround

==========

 

There is no known workaround at this time.

 

Resolution

==========

 

All SquirrelMail users should upgrade to the latest version:

 

# emerge --sync

# emerge --ask --oneshot --verbose ">=mail-client/squirrelmail-1.4.19"

 

References

==========

 

[ 1 ] CVE-2009-1381

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1381

[ 2 ] CVE-2009-1578

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1578

[ 3 ] CVE-2009-1579

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1579

[ 4 ] CVE-2009-1580

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1580

[ 5 ] CVE-2009-1581

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1581

 

Availability

============

 

This GLSA and any updates to it are available for viewing at

the Gentoo Security Website:

 

http://security.gentoo.org/glsa/glsa-201001-08.xml

 

Concerns?

=========

 

Security is a primary focus of Gentoo Linux and ensuring the

confidentiality and security of our users machines is of utmost

importance to us. Any security concerns should be addressed to

security ( -at -) gentoo.org or alternatively, you may file a bug at

https://bugs.gentoo.org.

 

License

=======

 

Copyright 2010 Gentoo Foundation, Inc; referenced text

belongs to its owner(s).

 

The contents of this document are licensed under the

Creative Commons - Attribution / Share Alike license.

 

http://creativecommons.org/licenses/by-sa/2.5