Vulnerability Assessment & Network Security Forums



If through a vulnerability assessment, a network security issue is detected for the vulnerability below, applying the appropriate security patches in a timely matter is very important.  If you have detected that your system has already been compromised, following CERT's Network Security recovery document will assist with recommended steps for system recovery.


Home >> Browse Vulnerability Assessment Database >> CGI abuses : XSS >> SquirrelMail < 1.4.4 XSS Vulnerabilities


Vulnerability Assessment Details

SquirrelMail < 1.4.4 XSS Vulnerabilities

Vulnerability Assessment Summary
Checks for Three XSS Vulnerabilities in SquirrelMail < 1.4.4

Detailed Explanation for this Vulnerability Assessment

The target is running at least one instance of SquirrelMail whose
version number suggests it is vulnerable to one or more cross-site
scripting vulnerabilities :

- Insufficient escaping of integer variables in webmail.php permits a
remote attacker to include HTML / script into a SquirrelMail webpage
(affects 1.4.0-RC1 - 1.4.4-RC1).

- Insufficient checking of incoming URL vars in webmail.php permits an
attacker to include arbitrary remote web pages in the SquirrelMail
frameset (affects 1.4.0-RC1 - 1.4.4-RC1).

- A recent change in prefs.php permits a possible hacker to provide a
specially crafted URL that could include local code into the
SquirrelMail code if and only if PHP's register_globals setting is
enabled (affects 1.4.3-RC1 - 1.4.4-RC1).

***** Nessus has acertaind the vulnerability exists on the target
***** simply by looking at the version number of Squirrelmail
***** installed there.

Solution : Upgrade to SquirrelMail 1.4.4 or later.
Network Security Threat Level: Medium

Networks Security ID: 12337

Vulnerability Assessment Copyright: This script is Copyright (C) 2005 George A. Theall

Cables, Connectors


Cisco SG95-16 16-Port Gigabit Switch SG95-16-KR picture

Cisco SG95-16 16-Port Gigabit Switch SG95-16-KR

$47.99



HP ProCurve 4108gl J4865A Modular Network Switch picture

HP ProCurve 4108gl J4865A Modular Network Switch

$119.99



Cisco WS-C2950T-24, 24-Port Ethernet Switch picture

Cisco WS-C2950T-24, 24-Port Ethernet Switch

$49.99



Allen-Bradley 1783-BMS20CA AB 1783-BMS20CA Stratix 5700 Managed Ethernet Switch picture

Allen-Bradley 1783-BMS20CA AB 1783-BMS20CA Stratix 5700 Managed Ethernet Switch

$2840.00



New Linksys SE3005 5-port Gigabit Ethernet Switch picture

New Linksys SE3005 5-port Gigabit Ethernet Switch

$15.99



Linksys SE3008 8 Ports Rack Mountable Gigabit Ethernet Switch picture

Linksys SE3008 8 Ports Rack Mountable Gigabit Ethernet Switch

$18.99



Cisco WS-C3850-48P-L 48-Port Gigabit 3850 PoE Switch w/ 715W Network Switch picture

Cisco WS-C3850-48P-L 48-Port Gigabit 3850 PoE Switch w/ 715W Network Switch

$74.00



Cisco WS-C3750X-48T-S 48 Port 3750X Gigabit Switch - Same Day Shipping picture

Cisco WS-C3750X-48T-S 48 Port 3750X Gigabit Switch - Same Day Shipping

$49.95



HP JG937A Flexnetwork 5130-48G PoE+ 48-Port Gigabit Network Switch picture

HP JG937A Flexnetwork 5130-48G PoE+ 48-Port Gigabit Network Switch

$70.95



Fortinet FortiSwitch FS-124D-POE 24 Port Gigabit Ethernet Switch UNREGISTERED picture

Fortinet FortiSwitch FS-124D-POE 24 Port Gigabit Ethernet Switch UNREGISTERED

$89.97



Discussions

No Discussions have been posted on this vulnerability.