Summary
The remote host is missing an update to squirrelmail announced via advisory DSA 662-2.
Solution
https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20662-2
Insight
Andrew Archibald discovered that the last update to squirrelmail which was intended to fix several problems caused a regression which got exposed when the user hits a session timeout. For completeness below is the original advisory text:
Several vulnerabilities have been discovered in Squirrelmail, a commonly used webmail system. The Common Vulnerabilities and Exposures project identifies the following problems:
CVE-2005-0104
Upstream developers noticed that an unsanitised variable could lead to cross site scripting.
CVE-2005-0152
Grant Hollingworth discovered that under certain circumstances URL manipulation could lead to the execution of arbitrary code with the privileges of www-data. This problem only exists in version 1.2.6 of Squirrelmail.
For the stable distribution (woody) these problems have been fixed in version 1.2.6-3.
The correction in the unstable distribution (sid) is not affected by this regression.
We recommend that you upgrade your squirrelmail package.
Severity
Classification
-
CVE CVE-2005-0104, CVE-2005-0152 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities