Vulnerability Bulletins |
Vulnerabilidad de cross site scripting in SquirrelMail |
|
Vulnerability classification |
|
| Property | Value |
| Confidence level | Oficial |
| Impact | Confidencialidad |
| Dificulty | Avanzado |
| Required attacker level | Acceso remoto con cuenta |
System information |
|
| Property | Value |
| Affected manufacturer | GNU/Linux |
| Affected software |
SquirrelMail <= 1.4.3a SquirrelMail 1.5.1-cvs < 23 /10/2004 |
Description |
|
| Existe una vulnerabilidad de cross site scripting en la decodificación de texto en ciertas cabeceras. SquirrelMail decodifica correctamente cabeceras diseñadas malintencionadamente pero no filtra las cadenas decodificadas. | |
Solution |
|
|
Actualización de software SquirrelMail <= 1.4.3a http://prdownloads.sourceforge.net/squirrelmail/sm143a-xss.diff?download SquirrelMail 1.5.1-cvs Realice la actualización mediante el CVS Fedora Fedora Core 2: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/SRPMS/squirrelmail-1.4.3a-6.FC2.src.rpm http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/x86_64/squirrelmail-1.4.3a-6.FC2.noarch.rpm http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/i386/squirrelmail-1.4.3a-6.FC2.noarch.rpm Fedora Core 3: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/SRPMS/squirrelmail-1.4.3a-6.FC3.src.rpm http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/64/squirrelmail-1.4.3a-6.FC3.noarch.rpm http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/i386/squirrelmail-1.4.3a-6.FC3.noarch.rpm Red Hat Linux Red Hat Desktop (v. 3)/SRPMS: squirrelmail-1.4.3a-7.EL3.src.rpm Red Hat Desktop (v. 3)/IA-32: squirrelmail-1.4.3a-7.EL3.noarch.rpm Red Hat Enterprise Linux AS (v. 3)/SRPMS: squirrelmail-1.4.3a-7.EL3.src.rpm Red Hat Enterprise Linux AS (v. 3)/IA-32: squirrelmail-1.4.3a-7.EL3.noarch.rpm Red Hat Enterprise Linux ES (v. 3)/SRPMS: squirrelmail-1.4.3a-7.EL3.src.rpm Red Hat Enterprise Linux ES (v. 3)/IA-32: squirrelmail-1.4.3a-7.EL3.noarch.rpm Red Hat Enterprise Linux WS (v. 3)/SRPMS: squirrelmail-1.4.3a-7.EL3.src.rpm Red Hat Enterprise Linux WS (v. 3)/IA-32: squirrelmail-1.4.3a-7.EL3.noarch.rpm https://rhn.redhat.com/ Apple Mac OS X 10.3.7 Server http://www.apple.com/support/downloads/securityupdate2005001macosx1037server.html SuSE Linux Distribuciones basadas en SuSE Linux - Actualizar mediante YaST Online Update |
|
Standar resources |
|
| Property | Value |
| CVE | CAN-2004-1036 |
| BID | |
Other resources |
|
|
SquirrelMail Security Notice http://www.squirrelmail.org/ Secunia Advisories (SA13323) http://secunia.com/advisories/13323/ Fedora Devel List http://www.redhat.com/archives/fedora-devel-list/2004-November/msg00929.html Red Hat Linux Security Advisory RHSA-2004:654-05 https://rhn.redhat.com/errata/RHSA-2004-654.html Security Update 2005-001 for Mac OS X http://docs.info.apple.com/article.html?artnum=300770 SUSE Security Summary Report SUSE-SR:2005:002 http://www.novell.com/linux/security/advisories/2005_02_sr.html |
|
Version history |
||
| Version | Comments | Date |
| 1.0 | Aviso emitido | 2004-11-11 |
| 1.1 | Aviso emitido por Fedora Linux | 2004-11-29 |
| 1.2 | Aviso emitido por Red Hat Linux (RHSA-2004:654-05) | 2004-12-27 |
| 1.3 | Aviso emitido por Apple (2005-001) | 2005-01-26 |
| 1.4 | Aviso emitido por SuSE (SUSE-SR:2005:002) | 2005-01-28 |