邮件头SquirrelMailHTML注入漏洞

漏洞信息详情

邮件头SquirrelMailHTML注入漏洞

• CNNVD编号：CNNVD-200408-022
• 危害等级： 中危
  
  
• CVE编号：
  CVE-2004-0639
  
• 漏洞类型：
  
  
  跨站脚本
  
• 发布时间：
  
  2004-08-06
  
• 威胁类型：
  
  
  远程
  
• 更新时间：
  
  2007-01-02
  
• 厂        商：
  
  squirrelmail
• 漏洞来源：
  Open Webmail

Squirrelmail 1.2.10以及之前的版本存在多个跨站脚本攻击(XSS)漏洞。远程攻击者借助（1）read_body.php的$mailer变量，（2）mailbox_display.php的$senderNames_part变量，和可能包括（3）$event_title变量或（4）$event_text变量的其它向量注入任意HTML或脚本。

Debian has released security advisory DSA 535-1 with fixes to address this issue.
The vendor has released upgrades dealing with this issue.
Conectiva has released a security advisory (CLA-2004:858) to address multiple issues in squirrelmail. Please see the referenced advisory for more information.
SquirrelMail SquirrelMail 1.2 .0

• SquirrelMail squirrelmail-1.4.3.tar.gz
  
  http://www.squirrelmail.org/download.php

SquirrelMail SquirrelMail 1.2.1

• SquirrelMail squirrelmail-1.4.3.tar.gz
  
  http://www.squirrelmail.org/download.php

SquirrelMail SquirrelMail 1.2.2

• SquirrelMail squirrelmail-1.4.3.tar.gz
  
  http://www.squirrelmail.org/download.php

SquirrelMail SquirrelMail 1.2.3

• SquirrelMail squirrelmail-1.4.3.tar.gz
  
  http://www.squirrelmail.org/download.php

SquirrelMail SquirrelMail 1.2.4

• SquirrelMail squirrelmail-1.4.3.tar.gz
  
  http://www.squirrelmail.org/download.php

SquirrelMail SquirrelMail 1.2.5

• SquirrelMail squirrelmail-1.4.3.tar.gz
  
  http://www.squirrelmail.org/download.php

SquirrelMail SquirrelMail 1.2.6

• Conectiva squirrelmail-1.4.3a-13677U90_1cl.noarch.rpm
  ftp://atualizacoes.conectiva.com.br/9/RPMS/squirrelmail-1.4.3a-13677U9
  0_1cl.noarch.rpm
• Conectiva squirrelmail-doc-1.4.3a-13677U90_1cl.noarch.rpm
  ftp://atualizacoes.conectiva.com.br/9/RPMS/squirrelmail-doc-1.4.3a-136
  77U90_1cl.noarch.rpm
• Debian squirrelmail_1.2.6-1.4_all.debDebian GNU/Linux 3.0 alias woody
  
  http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelma
  il_1.2.6-1.4_all.deb
• SquirrelMail squirrelmail-1.4.3.tar.gz
  
  http://www.squirrelmail.org/download.php

来源: BID
名称: 10450
链接:http://www.securityfocus.com/bid/10450

来源: DEBIAN
名称: DSA-535
链接:http://www.debian.org/security/2004/dsa-535

来源: XF
名称: squirrelmail-from-header-xss(16285)
链接:http://xforce.iss.net/xforce/xfdb/16285

来源: www.rs-labs.com
链接:http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt

来源: BUGTRAQ
名称: 20040530 RS-2004-1: SquirrelMail “Content-Type” XSS vulnerability
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=108611554415078&w=2

来源: CONECTIVA
名称: CLA-2004:858
链接:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000858

来源: bugs.debian.org
链接:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=257973