Mandrake Local Security Checks : Mandrake Security Advisory MDVSA-2009:053 (squirrelmail)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 146377 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.63445

Categoría: Mandrake Local Security Checks

Título: Mandrake Security Advisory MDVSA-2009:053 (squirrelmail)

Resumen: The remote host is missing an update to squirrelmail;announced via advisory MDVSA-2009:053.

Descripción: Summary:
The remote host is missing an update to squirrelmail
announced via advisory MDVSA-2009:053.

Vulnerability Insight:
A vulnerability has been identified and corrected in squirrelmail:

Squirrelmail 1.4.15 does not set the secure flag for the session
cookie in an https session, which can cause the cookie to be sent in
http requests and make it easier for remote attackers to capture this
cookie (CVE-2008-3663).

Additionally many of the bundled plugins has been upgraded. The
localization has also been upgraded. Basically this is a synchronization
with the latest squirrelmail package found in Mandriva Cooker. The
rpm changelog will reveal all the changes (rpm -q --changelog
squirrelmail).

The updated packages have been upgraded to the latest version of
squirrelmail to prevent this.

Affected: Corporate 4.0

Solution:
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2008-3663
http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.html
BugTraq ID: 31321
http://www.securityfocus.com/bid/31321
Bugtraq: 20080922 Squirrelmail: Session hijacking vulnerability, CVE-2008-3663 (Google Search)
http://www.securityfocus.com/archive/1/496601/100/0/threaded
http://int21.de/cve/CVE-2008-3663-squirrelmail.html
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10548
http://secunia.com/advisories/33937
http://securityreason.com/securityalert/4304
SuSE Security Announcement: SUSE-SR:2008:028 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00003.html
SuSE Security Announcement: SUSE-SR:2009:004 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html
XForce ISS Database: squirrelmail-cookie-session-hijacking(45700)
https://exchange.xforce.ibmcloud.com/vulnerabilities/45700

Copyright Copyright (C) 2009 E-Soft Inc.

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.63445
Categoría:	Mandrake Local Security Checks
Título:	Mandrake Security Advisory MDVSA-2009:053 (squirrelmail)
Resumen:	The remote host is missing an update to squirrelmail;announced via advisory MDVSA-2009:053.
Descripción:	Summary: The remote host is missing an update to squirrelmail announced via advisory MDVSA-2009:053. Vulnerability Insight: A vulnerability has been identified and corrected in squirrelmail: Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie (CVE-2008-3663). Additionally many of the bundled plugins has been upgraded. The localization has also been upgraded. Basically this is a synchronization with the latest squirrelmail package found in Mandriva Cooker. The rpm changelog will reveal all the changes (rpm -q --changelog squirrelmail). The updated packages have been upgraded to the latest version of squirrelmail to prevent this. Affected: Corporate 4.0 Solution: To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2008-3663 http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.html BugTraq ID: 31321 http://www.securityfocus.com/bid/31321 Bugtraq: 20080922 Squirrelmail: Session hijacking vulnerability, CVE-2008-3663 (Google Search) http://www.securityfocus.com/archive/1/496601/100/0/threaded http://int21.de/cve/CVE-2008-3663-squirrelmail.html https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10548 http://secunia.com/advisories/33937 http://securityreason.com/securityalert/4304 SuSE Security Announcement: SUSE-SR:2008:028 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00003.html SuSE Security Announcement: SUSE-SR:2009:004 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html XForce ISS Database: squirrelmail-cookie-session-hijacking(45700) https://exchange.xforce.ibmcloud.com/vulnerabilities/45700
Copyright	Copyright (C) 2009 E-Soft Inc.