It was reported that SquirrelMail did not implement protections against cross-site request forgery (CSRF) attacks. This can be exploited to e.g. change user preferences, delete emails, and potentially send emails when a logged-in user visits a malicious web page. Upstream advisory: http://www.squirrelmail.org/security/issue/2009-08-12 Upstream patch: http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13818 Issue was first addressed in 1.4.20RC1. Secunia advisory: http://secunia.com/advisories/34627/
squirrelmail-1.4.19-2.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/squirrelmail-1.4.19-2.fc11
squirrelmail-1.4.19-2.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/squirrelmail-1.4.19-2.fc10
squirrelmail-1.4.19-2.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
squirrelmail-1.4.19-2.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-2964 to the following vulnerability: Name: CVE-2009-2964 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2964 Assigned: 20090825 Reference: CONFIRM: http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog?revision=13818&view=markup&pathrev=13818 Reference: CONFIRM: http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13818 Reference: CONFIRM: http://www.squirrelmail.org/security/issue/2009-08-12 Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=517312 Reference: FEDORA:FEDORA-2009-8797 Reference: URL: https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00927.html Reference: FEDORA:FEDORA-2009-8822 Reference: URL: https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00954.html Reference: OSVDB:57001 Reference: URL: http://www.osvdb.org/57001 Reference: SECUNIA:34627 Reference: URL: http://secunia.com/advisories/34627 Reference: SECUNIA:36363 Reference: URL: http://secunia.com/advisories/36363 Reference: VUPEN:ADV-2009-2262 Reference: URL: http://www.vupen.com/english/advisories/2009/2262 Reference: XF:squirrelmail-unspecified-csrf(52406) Reference: URL: http://xforce.iss.net/xforce/xfdb/52406 Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier allow remote attackers to hijack the authentication of unspecified victims via features such as send message and change preferences, related to (1) functions/mailbox_display.php, (2) src/addrbook_search_html.php, (3) src/addressbook.php, (4) src/compose.php, (5) src/folders.php, (6) src/folders_create.php, (7) src/folders_delete.php, (8) src/folders_rename_do.php, (9) src/folders_rename_getname.php, (10) src/folders_subscribe.php, (11) src/move_messages.php, (12) src/options.php, (13) src/options_highlight.php, (14) src/options_identities.php, (15) src/options_order.php, (16) src/search.php, and (17) src/vcard.php.
This issue has been addressed in following products: Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2009:1490 https://rhn.redhat.com/errata/RHSA-2009-1490.html