fn:Suyash Jain
n:Jain;Suyash
org:Net4India Ltd.;Network Operations
adr:Infantry Road;;1st Floor,Empire Infantry,No.29;Bangalore;Karnataka;560080;INDIA
email;internet:suyash.j@net4.in
title:Asst. Manager
tel;work:08041130404
tel;fax:08041276604
tel;cell:9844643008
note;quoted-printable:24x7 Support=0D=0A=
=0D=0A=
x-mozilla-html:TRUE
url:http://www.net4.in
version:2.1
end:vcard
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
SquirrelMail Cross Site Request Forgery Vulnerability
http://www.cert-in.org.in/vulnerability/civn-2009-131.htm
Original Issue Date: October 22, 2009
Severity Rating: Medium
Systems Affected
SquirrelMail versions 1.4.19 and prior
Overview
A vulnerability has been reported in SquirrelMail, which could allow a
remote attacker to conduct Cross-site Request Forgery attacks (CSRF).
Description
This vulnerability is caused due to improper validation of user-supplied
input when users performing certain actions via HTTP requests in
SquirrelMail. A remote attacker could exploit this vulnerability by
tricking user into visiting a malicious web page via a specially-crafted
HTTP request. Successful exploitation of this vulnerability could allow a
remote attacker to change user preferences, delete emails, and potentially
send emails when a logged-in user visits a malicious web page and to
perform cross-site scripting attacks, Web cache poisoning, and other
malicious activities.
Solution
Update to SquirrelMail version 1.4.20 RC2
http://www.squirrelmail.org/download.php
Vendor Information
Squirrelmail
http://www.squirrelmail.org/security/issue/2009-08-12
References
Squirrelmail
http://www.squirrelmail.org/security/issue/2009-08-12
http://squirrelmail.svn.sourceforge.net/viewvc/
squirrelmail?view=rev&revision=13818
Security Focus
http://www.securityfocus.com/bid/36196
Secunia
http://secunia.com/advisories/34627
ISS XForce
http://xforce.iss.net/xforce/xfdb/52406
Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=517312
VUPEN
http://www.vupen.com/english/advisories/2009/2262
OSVDB
http://www.osvdb.org/57001
CVE Name
CVE-2009-2964
Disclaimer
The information provided herein is on "as is" basis, without warranty of
any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
Note: Please do not reply to this e-mail. For further queries contact
CERT-In Information Desk. Email: info@cert-in.org.in
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wsBVAwUBSuF89nWXeYNsoT30AQr9XAf/fksf/2mWwz8CQnsTQ34RRkOfHipcbI9w
yJtI6aTZ30jDz2SCBBfJNF9Khy3GvHqS6mWz2O0BdGyskjydUXdURMvv/Ru/6piW
b/Wge5TVXlJWevaDrlANUEhVDyCpliw7snLsszAaYLiAgsx9JtY9VDJzyg4N7DNc
U8aBjTN+HPD8WRb0I2CmAGJaC3qURf0V1udxhmt+GyWBoBvHntUKq1HdYjucEBe8
wMa8oQ5pepzVoMSypW3/BSXJ7Q/MJGNawyiK4MEU0z/Z29dAFGdLKQgaa9GBGYvF
sCNt9Ob6MLgdJ0tCvp5zaY5oNVHAUYrAiDu36lpyC8uETA8VwSd/KA==
=4Dbf
-----END PGP SIGNATURE-----
No comments:
Post a Comment