Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. Reference: BUGTRAQ:20080922 Squirrelmail: Session hijacking vulnerability, CVE-2008-3663 Reference: URL:http://www.securityfocus.com/archive/1/archive/1/496601/100/0/threaded Reference: MISC:http://int21.de/cve/CVE-2008-3663-squirrelmail.html Reference: BID:31321 Reference: URL:http://www.securityfocus.com/bid/31321
Upstream SVN commit addressing this issue: http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13290
squirrelmail-1.4.16-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
Created attachment 321469 [details] Upsteam patch for posterity sake
squirrelmail-1.4.16-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
Upstream advisory: http://www.squirrelmail.org/security/issue/2008-09-28
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2009-0010.html Fedora: https://admin.fedoraproject.org/updates/F9/FEDORA-2008-8559