The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of SquirrelMail: several vulnerabilities

Synthesis of the vulnerability 

Three vulnerabilities of SquirrelMail permit an attacker to conduct a Cross Site Scripting attack or to inject IMAP commands.
Impacted software: Debian, Fedora, openSUSE, RHEL, RedHat Linux, Unix (platform) ~ not comprehensive.
Severity of this computer vulnerability: 2/4.
Number of vulnerabilities in this bulletin: 3.
Creation date: 22/02/2006.
Revision date: 28/02/2006.
Références of this announce: 10310, 20060501-01-U, BID-16756, CERTA-2006-AVI-095, CVE-2006-0188, CVE-2006-0195, CVE-2006-0377, DSA-988-1, FEDORA-2006-133, FEDORA-2006-134, FLSA:190884, FLSA-2006:190884, MDKSA-2006:049, RHSA-2006:028, RHSA-2006:0283-01, SNS Advisory No.86, SUSE-SR:2006:005, VIGILANCE-VUL-5638.

Description of the vulnerability 

The SquirrelMail program permits users to read their mailbox using a web browser.

The webmail.php script does not correctly sanitize its right_frame parameter, which leads to a Cross Site Scripting attack (CVE-2006-0188).

The MagicHTML feature can be used to conduct a Cross Site Scripting attack, but only affects Internet Explorer (CVE-2006-0195).

The sqimap_mailbox_select parameter can be used to inject IMAP commands (CVE-2006-0377).
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This weakness note impacts software or systems such as Debian, Fedora, openSUSE, RHEL, RedHat Linux, Unix (platform) ~ not comprehensive.

Our Vigil@nce team determined that the severity of this threat note is medium.

The trust level is of type confirmed by the editor, with an origin of intranet client.

This bulletin is about 3 vulnerabilities.

An attacker with a expert ability can exploit this computer weakness.

Solutions for this threat 

SquirrelMail: version 1.4.6.
Version 1.4.6 is corrected:
  http://www.squirrelmail.org/download.php

Debian: new squirrelmail packages.
New packages are available:
Debian GNU/Linux 3.0 alias woody
  Source archives:
    http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-5.dsc
      Size/MD5 checksum: 582 07fe8ca983ec4bf8a3355a91c79c9d78
    http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-5.diff.gz
      Size/MD5 checksum: 24884 a65726611c8f71274582b353e309a9a1
    http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6.orig.tar.gz
      Size/MD5 checksum: 1856087 be9e6be1de8d3dd818185d596b41a7f1
  Architecture independent components:
    http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-5_all.deb
      Size/MD5 checksum: 1841716 1d246bc2ffe2323e2503202bfc147d9c
Debian GNU/Linux 3.1 alias sarge
  Source archives:
    http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.4-8.dsc
      Size/MD5 checksum: 678 140546ee9c0534419ddcaf3c7e632110
    http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.4-8.diff.gz
      Size/MD5 checksum: 24654 15ddd8f4db234006a1ac290087640dfc
    http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.4.orig.tar.gz
      Size/MD5 checksum: 575871 f50548b6f4f24d28afb5e6048977f4da
  Architecture independent components:
    http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.4-8_all.deb
      Size/MD5 checksum: 570472 2087dcea05cd5e1c4033f15cf120761a

Fedora: new squirrelmail packages.
New packages are available:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/
7fa03570698b636dcd976d0f3b6d3d51df171224 SRPMS/squirrelmail-1.4.6-1.fc4.src.rpm
9cb6adf3a5746a0187ca0f7db333884221ef7512 ppc/squirrelmail-1.4.6-1.fc4.noarch.rpm
9cb6adf3a5746a0187ca0f7db333884221ef7512 x86_64/squirrelmail-1.4.6-1.fc4.noarch.rpm
9cb6adf3a5746a0187ca0f7db333884221ef7512 i386/squirrelmail-1.4.6-1.fc4.noarch.rpm

Mandriva: new squirrelmail packages.
New packages are available:
 Corporate 3.0:
 a8a4f0d87a51ad6507b022d0969090b7 corporate/3.0/RPMS/squirrelmail-1.4.5-1.2.C30mdk.noarch.rpm
 4c2c56ffffe0613d8357dc3f3b83558b corporate/3.0/RPMS/squirrelmail-poutils-1.4.5-1.2.C30mdk.noarch.rpm
 ffab86ae7438d6f23bd934d17d38c41f corporate/3.0/SRPMS/squirrelmail-1.4.5-1.2.C30mdk.src.rpm
 Corporate 3.0/X86_64:
 ef2a5ee98b793f81be3e87ec8efb1f30 x86_64/corporate/3.0/RPMS/squirrelmail-1.4.5-1.2.C30mdk.noarch.rpm
 cf91cf6ca3f2bd737b475a1037a521ef x86_64/corporate/3.0/RPMS/squirrelmail-poutils-1.4.5-1.2.C30mdk.noarch.rpm
 ffab86ae7438d6f23bd934d17d38c41f x86_64/corporate/3.0/SRPMS/squirrelmail-1.4.5-1.2.C30mdk.src.rpm

Red Hat Linux, Fedora Core: new squirrelmail packages.
New packages are available:
Red Hat Linux 9:
SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/squirrelmail-1.4.6-3.rh9.1.legacy.src.rpm
i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/squirrelmail-1.4.6-3.rh9.1.legacy.noarch.rpm
Fedora Core 1:
SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/squirrelmail-1.4.6-4.fc1.1.legacy.src.rpm
i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/squirrelmail-1.4.6-4.fc1.1.legacy.noarch.rpm
Fedora Core 2:
SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/squirrelmail-1.4.6-4.fc2.1.legacy.src.rpm
i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/squirrelmail-1.4.6-4.fc2.1.legacy.noarch.rpm
Fedora Core 3:
SRPM:
http://download.fedoralegacy.org/fedora/3/updates/SRPMS/squirrelmail-1.4.6-4.fc3.1.legacy.src.rpm
i386:
http://download.fedoralegacy.org/fedora/3/updates/i386/squirrelmail-1.4.6-4.fc3.1.legacy.noarch.rpm
x86_64:
http://download.fedoralegacy.org/fedora/3/updates/x86_64/squirrelmail-1.4.6-4.fc3.1.legacy.noarch.rpm

RHEL: new squirrelmail packages.
New packages are available:
Red Hat Enterprise Linux version 3: squirrelmail-1.4.6-5.el3
Red Hat Enterprise Linux version 4: squirrelmail-1.4.6-5.el4

SGI ProPack: new packages.
Patch 10310 is corrected.
New packages are available:
  ftp://oss.sgi.com/projects/sgi_propack/download/3/updates/RPMS
  ftp://oss.sgi.com/projects/sgi_propack/download/3/updates/SRPMS

SuSE: new tin, ethereal, zoo, ruby, metamail, suirrelmail, gpg2, tar, opera packages.
New packages are available through YaST or FTP.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a computers vulnerabilities patch. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.