Web application abuses : SquirrelMail Multiple CSRF Vulnerabilities

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 146377 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.900830

Categoría: Web application abuses

Título: SquirrelMail Multiple CSRF Vulnerabilities

Resumen: SquirrelMail is prone to multiple cross-site request forgery; (CSRF) vulnerabilities.

Descripción: Summary:
SquirrelMail is prone to multiple cross-site request forgery
(CSRF) vulnerabilities.

Vulnerability Insight:
Multiple CSRF errors are caused via features such as send message and change
preferences, related to addrbook_search_html.php, folders_rename_getname.php, folders_rename_do.php,
folders_subscribe.php, move_messages.php, options.php, options_highlight.php, options_identities.php,
options_order.php, search.php, addressbook.php, compose.php, folders.php, folders_create.php, vcard.php and
folders_delete.php in /src and mailbox_display.php in functions directory.

Vulnerability Impact:
Attacker may leverage this issue to modify user preferences, delete emails,
and potentially send emails, and can hijack the authentication of unspecified victims.

Affected Software/OS:
SquirrelMail version 1.4.19 and prior on Linux.

Solution:
Upgrade to version 1.4.20 RC1 or later.

CVSS Score:
6.8

CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2009-2964
http://lists.apple.com/archives/security-announce/2010//Jun/msg00001.html
BugTraq ID: 36196
http://www.securityfocus.com/bid/36196
Debian Security Information: DSA-2091 (Google Search)
http://www.debian.org/security/2010/dsa-2091
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00927.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00954.html
http://jvn.jp/en/jp/JVN30881447/index.html
http://jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-002207.html
http://www.mandriva.com/security/advisories?name=MDVSA-2009:222
http://www.osvdb.org/57001
http://osvdb.org/60469
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10668
http://secunia.com/advisories/34627
http://secunia.com/advisories/36363
http://secunia.com/advisories/37415
http://secunia.com/advisories/40220
http://secunia.com/advisories/40964
http://www.vupen.com/english/advisories/2009/2262
http://www.vupen.com/english/advisories/2009/3315
http://www.vupen.com/english/advisories/2010/1481
http://www.vupen.com/english/advisories/2010/2080
XForce ISS Database: squirrelmail-unspecified-csrf(52406)
https://exchange.xforce.ibmcloud.com/vulnerabilities/52406

Copyright Copyright (C) 2009 Greenbone AG

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.900830
Categoría:	Web application abuses
Título:	SquirrelMail Multiple CSRF Vulnerabilities
Resumen:	SquirrelMail is prone to multiple cross-site request forgery; (CSRF) vulnerabilities.
Descripción:	Summary: SquirrelMail is prone to multiple cross-site request forgery (CSRF) vulnerabilities. Vulnerability Insight: Multiple CSRF errors are caused via features such as send message and change preferences, related to addrbook_search_html.php, folders_rename_getname.php, folders_rename_do.php, folders_subscribe.php, move_messages.php, options.php, options_highlight.php, options_identities.php, options_order.php, search.php, addressbook.php, compose.php, folders.php, folders_create.php, vcard.php and folders_delete.php in /src and mailbox_display.php in functions directory. Vulnerability Impact: Attacker may leverage this issue to modify user preferences, delete emails, and potentially send emails, and can hijack the authentication of unspecified victims. Affected Software/OS: SquirrelMail version 1.4.19 and prior on Linux. Solution: Upgrade to version 1.4.20 RC1 or later. CVSS Score: 6.8 CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2009-2964 http://lists.apple.com/archives/security-announce/2010//Jun/msg00001.html BugTraq ID: 36196 http://www.securityfocus.com/bid/36196 Debian Security Information: DSA-2091 (Google Search) http://www.debian.org/security/2010/dsa-2091 https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00927.html https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00954.html http://jvn.jp/en/jp/JVN30881447/index.html http://jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-002207.html http://www.mandriva.com/security/advisories?name=MDVSA-2009:222 http://www.osvdb.org/57001 http://osvdb.org/60469 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10668 http://secunia.com/advisories/34627 http://secunia.com/advisories/36363 http://secunia.com/advisories/37415 http://secunia.com/advisories/40220 http://secunia.com/advisories/40964 http://www.vupen.com/english/advisories/2009/2262 http://www.vupen.com/english/advisories/2009/3315 http://www.vupen.com/english/advisories/2010/1481 http://www.vupen.com/english/advisories/2010/2080 XForce ISS Database: squirrelmail-unspecified-csrf(52406) https://exchange.xforce.ibmcloud.com/vulnerabilities/52406
Copyright	Copyright (C) 2009 Greenbone AG