Summary
The remote host is missing an update to squirrelmail announced via advisory MDVSA-2009:110.
Solution
To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.
https://secure1.securityspace.com/smysecure/catid.html?in=MDVSA-2009:110
Insight
Multiple vulnerabilities has been identified and corrected in squirrelmail:
Two issues were fixed that both allowed an attacker to run arbitrary script (XSS) on most any SquirrelMail page by getting the user to click on specially crafted SquirrelMail links (CVE-2009-1578).
An issue was fixed wherein input to the contrib/decrypt_headers.php script was not sanitized and allowed arbitrary script execution upon submission of certain values (CVE-2009-1578).
An issue was fixed that allowed arbitrary server-side code execution when SquirrelMail was configured to use the example map_yp_alias username mapping functionality (CVE-2009-1579).
An issue was fixed that allowed an attacker to possibly steal user data by hijacking the SquirrelMail login session. (CVE-2009-1580).
An issue was fixed that allowed phishing and cross-site scripting (XSS) attacks to be run by surreptitious placement of content in specially-crafted emails sent to SquirrelMail users (CVE-2009-1581).
Additionally many of the bundled plugins has been upgraded. Basically this is a syncronization with the latest squirrelmail package found in Mandriva Cooker. The rpm changelog will reveal all the changes (rpm -q --changelog squirrelmail).
The updated packages have been upgraded to the latest version of squirrelmail to prevent this.
Affected: Corporate 4.0
Severity
Classification
-
CVE CVE-2009-1578, CVE-2009-1579, CVE-2009-1580, CVE-2009-1581 -
CVSS Base Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Related Vulnerabilities