Solution
Please Install the Updated Packages.
Insight
SquirrelMail is a standards-based webmail package written in PHP.
A server-side code injection flaw was found in the SquirrelMail "
map_yp_alias"
function. If SquirrelMail was configured to retrieve a user's IMAP server address from a Network Information Service (NIS) server via the "
map_yp_alias"
function, an unauthenticated, remote attacker using a specially-crafted username could use this flaw to execute arbitrary code with the privileges of the web server. (CVE-2009-1579)
Multiple cross-site scripting (XSS) flaws were found in SquirrelMail. An attacker could construct a carefully crafted URL, which once visited by an unsuspecting user, could cause the user's web browser to execute malicious script in the context of the visited SquirrelMail web page. (CVE-2009-1578)
It was discovered that SquirrelMail did not properly sanitize Cascading Style Sheets (CSS) directives used in HTML mail. A remote attacker could send a specially-crafted email that could place mail content above SquirrelMail's controls, possibly allowing phishing and cross-site scripting attacks. (CVE-2009-1581)
Users of squirrelmail should upgrade to this updated package, which contains backported patches to correct these issues.
Affected
squirrelmail on CentOS 3
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2009-1578, CVE-2009-1579, CVE-2009-1581 -
CVSS Base Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Related Vulnerabilities