Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Vigil@nce: SquirrelMail, Cross Site Scripting

December 2008 by Vigil@nce

SYNTHESIS

An attacker can send a HTML mail in order to create a Cross Site
Scripting in the web browser of victims reading this email with
SquirrelMail.

Gravity: 2/4

Consequences: client access/rights

Provenance: document

Means of attack: no proof of concept, no attack

Ability of attacker: expert (4/4)

Confidence: confirmed by the editor (5/5)

Diffusion of the vulnerable configuration: high (3/3)

Creation date: 04/12/2008

IMPACTED PRODUCTS

 Debian Linux
 Fedora
 OpenSUSE
 SuSE Linux
 SUSE LINUX Enterprise Server
 Unix - plateform

DESCRIPTION

The SquirrelMail server can be used to read a mailbox using a web
browser.

When a HTML document contains a link, the following syntax is
generally used:

...
Quotes are not required if the url does not contain spaces.

SquirrelMail reconstructs the tag, but does not add quotes around
its attribute. An attacker can therefore use an url containing a
space in order to inject HTML code in the generated page.

An attacker can thus send a HTML mail in order to create a Cross
Site Scripting in the web browser of victims reading this email
with SquirrelMail.

CHARACTERISTICS

Identifiers: BID-32603, CVE-2008-2379, DSA 1682-1,
FEDORA-2008-10740, FEDORA-2008-10748, FEDORA-2008-10918,
SUSE-SR:2008:027, VIGILANCE-VUL-8285

http://vigilance.fr/vulnerability/8285


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts