Red Hat Bugzilla – Bug 464183
CVE-2008-3663 squirrelmail: session hijacking - secure flag not set for HTTPS-only cookies
Last modified: 2012-06-20 10:37:32 EDT
Squirrelmail 1.4.15 does not set the secure flag for the session
cookie in an https session, which can cause the cookie to be sent in
http requests and make it easier for remote attackers to capture this
Reference: BUGTRAQ:20080922 Squirrelmail: Session hijacking vulnerability, CVE-2008-3663
Upstream SVN commit addressing this issue:
squirrelmail-1.4.16-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
Created attachment 321469 [details]
Upsteam patch for posterity sake
squirrelmail-1.4.16-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in:
Red Hat Enterprise Linux: