Bug 473877 (CVE-2008-2379)
Summary: | CVE-2008-2379 squirrelmail: XSS issue caused by an insufficient html mail sanitation | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> | ||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | unspecified | CC: | kreilly, mhlavink | ||||||
Target Milestone: | --- | Keywords: | Security | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2009-01-12 14:48:00 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 473288, 473289, 473290, 473291, 473881, 833979 | ||||||||
Bug Blocks: | |||||||||
Attachments: |
|
Description
Tomas Hoger
2008-12-01 08:55:11 UTC
This issue also affects users that do not have "Show HTML Version by Default" enabled, but select "View" action on specially crafted HTML attachment. Created attachment 325189 [details]
Upstream patch for SquirrelMail 1.4.x
Created attachment 325190 [details]
Upstream patch for SquirrelMail 1.5.x
Public now via: http://secunia.com/advisories/32143/ Fixed upstream in 1.4.17 (quoting ReleaseNotes): An issue was fixed that allowed an attacker to send specially- crafted hyperlinks in a message that could execute cross-site scripting (XSS) when the user viewed the message in SquirrelMail. We would like to thank Secunia Research for reporting this issue to us. It is tracked as CVE-2008-2379. Upstream SVN commit, 1.4 branch: http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13338 squirrelmail-1.4.17-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. squirrelmail-1.4.17-2.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. squirrelmail-1.4.17-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. Upstream advisory: http://www.squirrelmail.org/security/issue/2008-12-04 This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2009-0010.html Fedora: https://admin.fedoraproject.org/updates/F10/FEDORA-2008-10748 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-10740 |