Summary
The target is running at least one instance of SquirrelMail whose version number is between 1.2.0 and 1.2.10 inclusive. Such versions do not properly sanitize From headers, leaving users vulnerable to XSS attacks. Further, since SquirrelMail displays From headers when listing a folder, attacks does not require a user to actually open a message, only view the folder listing.
For example, a remote attacker could effectively launch a DoS against a user by sending a message with a From header such as :
From:<!--<>(-->John Doe<script>document.cookie='PHPSESSID=xxx path=/'
</script><>
which rewrites the session ID cookie and effectively logs the user out.
***** OVS has determined the vulnerability exists on the target ***** simply by looking at the version number(s) of Squirrelmail ***** installed there.
Solution
Upgrade to SquirrelMail 1.2.11 or later or wrap the call to sqimap_find_displayable_name in printMessageInfo in functions/mailbox_display.php with a call to htmlentities.
Severity
Classification
-
CVE CVE-2004-0639 -
CVSS Base Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- Apache ActiveMQ Multiple Vulnerabilities
- Ampache Reflected Cross Site Scripting Vulnerability
- 1024 CMS 1.1.0 Beta 'force_download.php' Local File Include Vulnerability
- 2532|Gigs Directory Traversal And SQL Injection Multiple Vulnerabilities
- Allegro RomPager HTTP Referer Header Cross Site Scripting Vulnerability