漏洞信息详情
邮件头SquirrelMailHTML注入漏洞
- CNNVD编号:CNNVD-200408-022
- 危害等级: 中危
- CVE编号: CVE-2004-0639
- 漏洞类型: 跨站脚本
- 发布时间: 2004-08-06
- 威胁类型: 远程
- 更新时间: 2007-01-02
- 厂 商: squirrelmail
- 漏洞来源: Open Webmail
漏洞简介
Squirrelmail 1.2.10以及之前的版本存在多个跨站脚本攻击(XSS)漏洞。远程攻击者借助(1)read_body.php的$mailer变量,(2)mailbox_display.php的$senderNames_part变量,和可能包括(3)$event_title变量或(4)$event_text变量的其它向量注入任意HTML或脚本。
漏洞公告
Debian has released security advisory DSA 535-1 with fixes to address this issue. The vendor has released upgrades dealing with this issue. Conectiva has released a security advisory (CLA-2004:858) to address multiple issues in squirrelmail. Please see the referenced advisory for more information. SquirrelMail SquirrelMail 1.2 .0
- SquirrelMail squirrelmail-1.4.3.tar.gz http://www.squirrelmail.org/download.php
- SquirrelMail squirrelmail-1.4.3.tar.gz http://www.squirrelmail.org/download.php
- SquirrelMail squirrelmail-1.4.3.tar.gz http://www.squirrelmail.org/download.php
- SquirrelMail squirrelmail-1.4.3.tar.gz http://www.squirrelmail.org/download.php
- SquirrelMail squirrelmail-1.4.3.tar.gz http://www.squirrelmail.org/download.php
- SquirrelMail squirrelmail-1.4.3.tar.gz http://www.squirrelmail.org/download.php
- Conectiva squirrelmail-1.4.3a-13677U90_1cl.noarch.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/squirrelmail-1.4.3a-13677U9 0_1cl.noarch.rpm
- Conectiva squirrelmail-doc-1.4.3a-13677U90_1cl.noarch.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/squirrelmail-doc-1.4.3a-136 77U90_1cl.noarch.rpm
- Debian squirrelmail_1.2.6-1.4_all.debDebian GNU/Linux 3.0 alias woody http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelma il_1.2.6-1.4_all.deb
- SquirrelMail squirrelmail-1.4.3.tar.gz http://www.squirrelmail.org/download.php
参考网址
来源: BID 名称: 10450 链接:http://www.securityfocus.com/bid/10450 来源: DEBIAN 名称: DSA-535 链接:http://www.debian.org/security/2004/dsa-535 来源: XF 名称: squirrelmail-from-header-xss(16285) 链接:http://xforce.iss.net/xforce/xfdb/16285 来源: www.rs-labs.com 链接:http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt 来源: BUGTRAQ 名称: 20040530 RS-2004-1: SquirrelMail "Content-Type" XSS vulnerability 链接:http://marc.theaimsgroup.com/?l=bugtraq&m=108611554415078&w=2 来源: CONECTIVA 名称: CLA-2004:858 链接:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000858 来源: bugs.debian.org 链接:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=257973
受影响实体
- Squirrelmail Squirrelmail:1.2.8
- Squirrelmail Squirrelmail:1.2.9
- Squirrelmail Squirrelmail:1.4
- Squirrelmail Squirrelmail:1.4.1
- Squirrelmail Squirrelmail:1.4.2
补丁
暂无
评论