SquirrelMail
Hi Paul,
On 16.10.2010 02:44 Paul Lesniewski wrote:
> On Tue, Oct 5, 2010 at 9:28 AM, Moritz Naumann
> <security@moritz-naumann.com> wrote:
>> Squirrelmail plugin 'Virtual Keyboard' version 0.9.1 and lower is
>> vulnerable to cross site scripting (XSS).
[..]
> As a member of the SquirrelMail development team, I am quite
> displeased with this announcement.
Mandriva Linux Security Advisory MDVSA-2009:110
http://www.mandriva.com/security/
_______________________________________________________________________
Package : squirrelmail
Date : May 12, 2009
Affected: Corporate 4.0
_______________________________________________________________________
Problem Description:
On Tue, Oct 5, 2010 at 9:28 AM, Moritz Naumann
<security@moritz-naumann.com> wrote:
> Hi,
>
> Squirrelmail plugin 'Virtual Keyboard' version 0.9.1 and lower is
> vulnerable to cross site scripting (XSS).
>
> The vkeyboard.php script fails to sanitize the value of HTTP GET
> parameter 'passformname' which the script stores in a variable of the
> same name and outputs (unmodified) into a HTML document later. As such,
Mandriva Linux Security Advisory MDVSA-2011:123
http://www.mandriva.com/security/
_______________________________________________________________________
Package : squirrelmail
Date : August 13, 2011
Affected: Corporate 4.0, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: SquirrelMail G/PGP plugin: Arbitrary code execution
Date: August 11, 2007
Bugs: #185010
ID: 200708-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Mandriva Linux Security Advisory MDVSA-2009:122
http://www.mandriva.com/security/
_______________________________________________________________________
Package : squirrelmail
Date : June 23, 2009
Affected: Corporate 4.0
_______________________________________________________________________
Problem Description:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Site address: http://www.braverock.com/gpg
SquirrelMail plugin page: http://www.squirrelmail.org/plugin_view.php?id=153
1 issue - Deletion of files writable by web server user
SquirrelMail GPG plugin allows end users to delete or overwrite files
writable by web server user. In default SquirrelMail 1.4.3-1.4.8 setups
Mandriva Linux Security Advisory MDVSA-2009:053
http://www.mandriva.com/security/
_______________________________________________________________________
Package : squirrelmail
Date : February 24, 2009
Affected: Corporate 4.0
_______________________________________________________________________
Problem Description:
Debian Security Advisory DSA-1802-1 security@debian.org
http://www.debian.org/security/ Thijs Kinkhorst
May 19, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : squirrelmail
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2009-1578 CVE-2009-1579 CVE-2009-1580 CVE-2009-1581
Debian Bug : 528528
Hi,
Squirrelmail plugin 'Virtual Keyboard' version 0.9.1 and lower is
vulnerable to cross site scripting (XSS).
The vkeyboard.php script fails to sanitize the value of HTTP GET
parameter 'passformname' which the script stores in a variable of the
same name and outputs (unmodified) into a HTML document later. As such,
it is possible to inject client-evaluated HTML and script code into the
output generated by the application.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: SquirrelMail: Multiple vulnerabilities
Date: January 13, 2010
Bugs: #269567, #270671
ID: 201001-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Debian Security Advisory DSA-2291-1 security@debian.org
http://www.debian.org/security/ Thijs Kinkhorst
August 8, 2011 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : squirrelmail
Vulnerability : various
Problem type : remote
Debian-specific: no
CVE ID : CVE-2010-4554 CVE-2010-4555 CVE-2011-2023
CVE-2011-2752 CVE-2011-2753
Mandriva Linux Security Advisory MDVSA-2010:120
http://www.mandriva.com/security/
_______________________________________________________________________
Package : squirrelmail
Date : June 21, 2010
Affected: Corporate 4.0, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
Mandriva Linux Security Advisory MDVSA-2010:158
http://www.mandriva.com/security/
_______________________________________________________________________
Package : squirrelmail
Date : August 23, 2010
Affected: Corporate 4.0, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
Debian Security Advisory DSA-2091-1 security@debian.org
http://www.debian.org/security/ Luciano Bello
August 12, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : squirrelmail
Vulnerability : No user-specific token implemented
Problem type : remote
Debian-specific: no
Debian bug : 543818
CVE ID : CVE-2009-2964 CVE-2010-2813
Debian Security Advisory DSA-168201 security@debian.org
http://www.debian.org/security/ Thijs Kinkhorst
December 07, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : squirrelmail
Vulnerability : insufficient input sanitising
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-2379
Mandriva Linux Security Advisory MDVSA-2009:222
http://www.mandriva.com/security/
_______________________________________________________________________
Package : squirrelmail
Date : August 28, 2009
Affected: Corporate 4.0, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
changes made will most likely generate an error, rather than a
compromise of a system in the event the code does get executed.
Original packages, stored on secure media, have been restored to the
Sourceforge download servers, and additional signatures for the
packages are now available on the SquirrelMail download page at
http://www.squirrelmail.org/download.php
While we believe the changes made should have little impact, we
strongly recommend everybody that has downloaded the 1.4.12 package
after the 8th December, to redownload the package.
Squirrelmail: Session hijacking vulnerability, CVE-2008-3663
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3663
http://int21.de/cve/CVE-2008-3663-squirrelmail.html
http://enablesecurity.com/2008/08/11/surf-jack-https-will-not-save-you/
https://www.defcon.org/html/defcon-16/dc-16-speakers.html#Perry
Description
Debian Security Advisory DSA-1802-2 security@debian.org
http://www.debian.org/security/ Thijs Kinkhorst
May 21, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : squirrelmail
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2009-1578 CVE-2009-1579 CVE-2009-1580 CVE-2009-1581
CVE-2009-1381
We *STRONGLY* advise all users of 1.4.11, and 1.4.12 upgrade
immediately.
Package MD5s
============
1a1bdad6245aaabcdd23d9402acb388e squirrelmail-1.4.13.tar.bz2
51ddd67a7ff9272f5a6e1da0b9dfbf18 squirrelmail-1.4.13.tar.gz
ed8871a693cc57d5a0d511f7b89f8781 squirrelmail-1.4.13.zip
We apologies for the inconvenience this may have caused.
|
