int(4904)

Vulnerability Bulletins

Cross-Site Request Forgery en SquirrelMail

Vulnerability classification
Property Value
Confidence level Oficial
Impact Aumento de privilegios
Dificulty Experto
Required attacker level Acceso remoto sin cuenta a un servicio estandar

System information
Property Value
Affected manufacturer GNU/Linux
Affected software SquirrelMail 1.4.x < 1.4.20

Description
Se han descubierto múltiples Cross-Site Request Forgery en SquirrelMail 1.4.

Un atacante remoto podría suplantar la identidad mediante una petición HTTP especialmente diseñada.

Solution


Actualización de software

Red Hat (RHSA-2009:1490-1)
RHEL Desktop Workstation (v. 5 cliente)
Red Hat Desktop (v. 3)
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux (v. 5 servidor)
Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux AS (v. 4.8.z)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux ES (v. 4.8.z)
Red Hat Enterprise Linux EUS (v. 5.4.z servidor)
Red Hat Enterprise Linux WS (v. 3)
Red Hat Enterprise Linux WS (v. 4)
https://rhn.redhat.com/

Debian (DSA 2091-1)

Debian Linux 5.0

Source
http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.15-4+lenny3.1.diff.gz
http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.15.orig.tar.gz
http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.15-4+lenny3.1.dsc
independent packages:
http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.15-4+lenny3.1_all.deb

Standar resources
Property Value
CVE CVE-2009-2964
BID 36196

Other resources
Red Hat Security Advisory (RHSA-2009:1490-1)
https://rhn.redhat.com/errata/RHSA-2009-1490.html

Debian Security Advisory (DSA 2091-1)
http://lists.debian.org/debian-security-announce/2010/msg00136.html

Version history
Version Comments Date
1.0 Aviso emitido 2009-10-09
1.1 Aviso emitido por Debian (DSA 2091-1) 2010-08-27
Ministerio de Defensa
CNI
CCN
CCN-CERT