Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 269567 (CVE-2009-1578) - <mail-client/squirrelmail-1.4.18: Multiple vulnerabilities (CVE-2009-{1578,1579,1580,1581})
Summary: <mail-client/squirrelmail-1.4.18: Multiple vulnerabilities (CVE-2009-{1578,15...
Status: RESOLVED FIXED
Alias: CVE-2009-1578
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://www.squirrelmail.org/security/
Whiteboard: C1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-05-12 16:15 UTC by Alex Legler (RETIRED)
Modified: 2010-01-13 22:16 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-12 16:15:52 UTC 
CVE-2009-1578: Multiple XSS vunlerabilities in (1) functions/global.php and (2) contrib/decrypt_headers.php.

CVE-2009-1579: Remote arbitrary command injection in functions/imap_general.php "when SquirrelMail was configured to use the example "map_yp_alias" username mapping functionality".

CVE-2009-1580: Session fixation vulnerability

CVE-2009-1581: XSS via CSS positioning parameters in functions/mime.php.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-12 16:17:01 UTC 
Remedy: Update to 1.4.18.
Comment 2 Tobias Scherbaum (RETIRED) gentoo-dev 2009-05-12 17:36:36 UTC 
(In reply to comment #1)
> Remedy: Update to 1.4.18.
> 

did so.

Candidate for stabilization:

=mail-client/squirrelmail-1.4.18
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-12 17:57:44 UTC 
Arches, please test and mark stable:
=mail-client/squirrelmail-1.4.18
Target keywords : "alpha amd64 ppc ppc64 sparc x86"
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2009-05-13 06:46:10 UTC 
!!! dodoc: AUTHORS does not exist
!!! dodoc: COPYING does not exist
!!! dodoc: ChangeLog does not exist
!!! dodoc: INSTALL does not exist
!!! dodoc: ReleaseNotes does not exist
!!! dodoc: UPGRADE does not exist
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2009-05-13 07:06:36 UTC 
x86 stable
Comment 6 Richard Freeman gentoo-dev 2009-05-13 13:32:03 UTC 
amd64 stable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2009-05-13 17:23:20 UTC 
Stable on alpha.
Comment 8 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-15 09:18:26 UTC 
CVE-2009-1578 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1578):
  Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail
  before 1.4.18 allow remote attackers to inject arbitrary web script
  or HTML via vectors involving (1) certain encrypted strings in e-mail
  headers, related to contrib/decrypt_headers.php; (2) PHP_SELF; and
  (3) the query string (aka QUERY_STRING).

CVE-2009-1579 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1579):
  The map_yp_alias function in functions/imap_general.php in
  SquirrelMail before 1.4.18 allows remote attackers to execute
  arbitrary commands via shell metacharacters in a username string that
  is used by the ypmatch program.

CVE-2009-1580 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1580):
  Session fixation vulnerability in SquirrelMail before 1.4.18 allows
  remote attackers to hijack web sessions via a crafted cookie.

CVE-2009-1581 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1581):
  functions/mime.php in SquirrelMail before 1.4.18 does not protect the
  application's content from Cascading Style Sheets (CSS) positioning
  in HTML e-mail messages, which allows remote attackers to spoof the
  user interface, and conduct cross-site scripting (XSS) and phishing
  attacks, via a crafted message.
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2009-05-15 16:24:23 UTC 
(In reply to comment #4)
> !!! dodoc: AUTHORS does not exist
> !!! dodoc: COPYING does not exist
> !!! dodoc: ChangeLog does not exist
> !!! dodoc: INSTALL does not exist
> !!! dodoc: ReleaseNotes does not exist
> !!! dodoc: UPGRADE does not exist
> 
fixed
Comment 10 Tiago Cunha (RETIRED) gentoo-dev 2009-05-15 16:59:05 UTC 
Done by josejx for ppc and ppc64.
Comment 11 Tiago Cunha (RETIRED) gentoo-dev 2009-05-15 17:04:01 UTC 
sparc stable
Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2009-05-15 17:10:34 UTC 
and 1.4.17 removed. ready for glsa.
Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2010-01-13 22:16:15 UTC 
GLSA 201001-08, thanks everyone.