漏洞信息详情
SquirrelMail多个表单跨站请求伪造漏洞
- CNNVD编号:CNNVD-200908-407
- 危害等级: 中危
- CVE编号: CVE-2009-2964
- 漏洞类型: 跨站请求伪造
- 发布时间: 2009-08-25
- 威胁类型: 远程
- 更新时间: 2009-08-26
- 厂 商: squirrelmail
- 漏洞来源: Tomas Hoger※ thoge...
漏洞简介
SquirrelMail是一款PHP编写的WEBMAIL程序。 SquirrelMail没有正确地过滤用户向多个表单(发送消息、更改偏好等)所提交的内容,远程攻击者可以通过跨站请求伪造攻击执行删除邮件、发送邮件等操作。以下是受影响的页面:functions/mailbox_display.php,src/addrbook_search_HTML.php,src/addressbook.php,src/compose.php,src/folders.php,src/folders_create.php,src/folders_delete.php,src/folders_rename_do.php,src/folders_rename_getname.php,src/folders_subscribe.php,src/move_messages.php,src/options.php,src/options_highlight.php,src/options_identities.php,src/options_order.php,src/search.php,src/vcard.php。
漏洞公告
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13818
参考网址
来源: bugzilla.redhat.com 链接:https://bugzilla.redhat.com/show_bug.cgi?id=517312 来源: VUPEN 名称: ADV-2009-2262 链接:http://www.vupen.com/english/advisories/2009/2262 来源: www.squirrelmail.org 链接:http://www.squirrelmail.org/security/issue/2009-08-12 来源: squirrelmail.svn.sourceforge.net 链接:http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13818 来源: squirrelmail.svn.sourceforge.net 链接:http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog?revision=13818&view=markup&pathrev=13818 来源: FEDORA 名称: FEDORA-2009-8822 链接:https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00954.HTML 来源: FEDORA 名称: FEDORA-2009-8797 链接:https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00927.HTML 来源: XF 名称: squirrelmail-unspecified-csrf(52406) 链接:http://xforce.iss.net/xforce/xfdb/52406 来源: BID 名称: 36196 链接:http://www.securityfocus.com/bid/36196 来源: OSVDB 名称: 57001 链接:http://www.osvdb.org/57001 来源: MANDRIVA 名称: MDVSA-2009:222 链接:http://www.mandriva.com/security/advisories?name=MDVSA-2009:222 来源: SECUNIA 名称: 36363 链接:http://secunia.com/advisories/36363 来源: SECUNIA 名称: 34627 链接:http://secunia.com/advisories/34627
受影响实体
- Squirrelmail Squirrelmail:1.4_rc1
- Squirrelmail Squirrelmail:1.4:Rc1
- Squirrelmail Squirrelmail:1.4.9a
- Squirrelmail Squirrelmail:1.4.9
- Squirrelmail Squirrelmail:1.4.13
补丁
- Security Update 2010-004 (Leopard-Server)
- Mac OS X v10.6.4 Update Mac mini (Mid 2010)
- Mac OS X v10.6.4 Update (Combo)
- Mac OS X Server v10.6.4 Update Mac mini (Mid 2010)
- Mac OS X v10.6.4 Update
评论