Summary
The remote host is missing an update to squirrelmail announced via advisory DSA 988-1.
Several vulnerabilities have been discovered in Squirrelmail, a commonly used webmail system. The Common Vulnerabilities and Exposures project identifies the following problems:
CVE-2006-0188
Martijn Brinkers and Ben Maurer found a flaw in webmail.php that allows remote attackers to inject arbitrary web pages into the right frame via a URL in the right_frame parameter.
CVE-2006-0195
Martijn Brinkers and Scott Hughes discovered an interpretation conflict in the MagicHTML filter that allows remote attackers to conduct cross-site scripting (XSS) attacks via style sheet specifiers with invalid (1) /* and */ comments, or (2) slashes inside the url keyword, which is processed by some web browsers including Internet Explorer.
CVE-2006-0377
Vicente Aguilera of Internet Security Auditors, S.L. discovered a CRLF injection vulnerability, which allows remote attackers to inject arbitrary IMAP commands via newline characters in the mailbox parameter of the sqimap_mailbox_select command, aka IMAP injection. There's no known way to exploit this yet.
For the old stable distribution (woody) these problems have been fixed in version 1.2.6-5.
Solution
For the stable distribution (sarge) these problems have been fixed in version 2:1.4.4-8.
For the unstable distribution (sid) these problems have been fixed in version 2:1.4.6-1.
We recommend that you upgrade your squirrelmail package.
https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20988-1
Severity
Classification
-
CVE CVE-2006-0188, CVE-2006-0195, CVE-2006-0377 -
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:N/I:P/A:N
Related Vulnerabilities