ID CVE-2008-3663
Summary Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
References
Vulnerable Configurations
  • cpe:2.3:a:squirrelmail:squirrelmail:1.4.15
    cpe:2.3:a:squirrelmail:squirrelmail:1.4.15
CVSS
Base: 5.0 (as of 25-09-2008 - 08:57)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
nessus via4
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2009-0010.NASL
    description An updated squirrelmail package that resolves various security issues is now available for Red Hat Enterprise Linux 3, 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. SquirrelMail is an easy-to-configure, standards-based, webmail package written in PHP. It includes built-in PHP support for the IMAP and SMTP protocols, and pure HTML 4.0 page-rendering (with no JavaScript required) for maximum browser-compatibility, strong MIME support, address books, and folder manipulation. Ivan Markovic discovered a cross-site scripting (XSS) flaw in SquirrelMail caused by insufficient HTML mail sanitization. A remote attacker could send a specially crafted HTML mail or attachment that could cause a user's Web browser to execute a malicious script in the context of the SquirrelMail session when that email or attachment was opened by the user. (CVE-2008-2379) It was discovered that SquirrelMail allowed cookies over insecure connections (ie did not restrict cookies to HTTPS connections). An attacker who controlled the communication channel between a user and the SquirrelMail server, or who was able to sniff the user's network communication, could use this flaw to obtain the user's session cookie, if a user made an HTTP request to the server. (CVE-2008-3663) Note: After applying this update, all session cookies set for SquirrelMail sessions started over HTTPS connections will have the 'secure' flag set. That is, browsers will only send such cookies over an HTTPS connection. If needed, you can revert to the previous behavior by setting the configuration option '$only_secure_cookies' to 'false' in SquirrelMail's /etc/squirrelmail/config.php configuration file. Users of squirrelmail should upgrade to this updated package, which contains backported patches to correct these issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 35357
    published 2009-01-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35357
    title RHEL 3 / 4 / 5 : squirrelmail (RHSA-2009:0010)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2008-9071.NASL
    description update to 1.4.16 fixes CVE-2008-3663 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-21
    plugin id 34493
    published 2008-10-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=34493
    title Fedora 8 : squirrelmail-1.4.16-1.fc8 (2008-9071)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SQUIRRELMAIL-5778.NASL
    description Squirrelmail was updated to use the secure flag for its cookies. Otherwise it was possible to hijack a SSL-protected session via leaked cookies. (CVE-2008-3663)
    last seen 2019-02-21
    modified 2014-06-13
    plugin id 34814
    published 2008-11-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=34814
    title openSUSE 10 Security Update : squirrelmail (squirrelmail-5778)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2009-0010.NASL
    description An updated squirrelmail package that resolves various security issues is now available for Red Hat Enterprise Linux 3, 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. SquirrelMail is an easy-to-configure, standards-based, webmail package written in PHP. It includes built-in PHP support for the IMAP and SMTP protocols, and pure HTML 4.0 page-rendering (with no JavaScript required) for maximum browser-compatibility, strong MIME support, address books, and folder manipulation. Ivan Markovic discovered a cross-site scripting (XSS) flaw in SquirrelMail caused by insufficient HTML mail sanitization. A remote attacker could send a specially crafted HTML mail or attachment that could cause a user's Web browser to execute a malicious script in the context of the SquirrelMail session when that email or attachment was opened by the user. (CVE-2008-2379) It was discovered that SquirrelMail allowed cookies over insecure connections (ie did not restrict cookies to HTTPS connections). An attacker who controlled the communication channel between a user and the SquirrelMail server, or who was able to sniff the user's network communication, could use this flaw to obtain the user's session cookie, if a user made an HTTP request to the server. (CVE-2008-3663) Note: After applying this update, all session cookies set for SquirrelMail sessions started over HTTPS connections will have the 'secure' flag set. That is, browsers will only send such cookies over an HTTPS connection. If needed, you can revert to the previous behavior by setting the configuration option '$only_secure_cookies' to 'false' in SquirrelMail's /etc/squirrelmail/config.php configuration file. Users of squirrelmail should upgrade to this updated package, which contains backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 35353
    published 2009-01-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35353
    title CentOS 3 / 4 / 5 : squirrelmail (CESA-2009:0010)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_A0AFB4B989A111DDA65B00163E000016.NASL
    description Hanno Boeck reports : When configuring a web application to use only ssl (e.g. by forwarding all http-requests to https), a user would expect that sniffing and hijacking the session is impossible. Though, for this to be secure, one needs to set the session cookie to have the secure flag. Otherwise the cookie will be transferred through HTTP if the victim's browser does a single HTTP request on the same domain. Squirrelmail does not set that flag. It is fixed in the 1.5 test versions, but current 1.4.15 is vulnerable.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 34271
    published 2008-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=34271
    title FreeBSD : squirrelmail -- Session hijacking vulnerability (a0afb4b9-89a1-11dd-a65b-00163e000016)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2009-0010.NASL
    description From Red Hat Security Advisory 2009:0010 : An updated squirrelmail package that resolves various security issues is now available for Red Hat Enterprise Linux 3, 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. SquirrelMail is an easy-to-configure, standards-based, webmail package written in PHP. It includes built-in PHP support for the IMAP and SMTP protocols, and pure HTML 4.0 page-rendering (with no JavaScript required) for maximum browser-compatibility, strong MIME support, address books, and folder manipulation. Ivan Markovic discovered a cross-site scripting (XSS) flaw in SquirrelMail caused by insufficient HTML mail sanitization. A remote attacker could send a specially crafted HTML mail or attachment that could cause a user's Web browser to execute a malicious script in the context of the SquirrelMail session when that email or attachment was opened by the user. (CVE-2008-2379) It was discovered that SquirrelMail allowed cookies over insecure connections (ie did not restrict cookies to HTTPS connections). An attacker who controlled the communication channel between a user and the SquirrelMail server, or who was able to sniff the user's network communication, could use this flaw to obtain the user's session cookie, if a user made an HTTP request to the server. (CVE-2008-3663) Note: After applying this update, all session cookies set for SquirrelMail sessions started over HTTPS connections will have the 'secure' flag set. That is, browsers will only send such cookies over an HTTPS connection. If needed, you can revert to the previous behavior by setting the configuration option '$only_secure_cookies' to 'false' in SquirrelMail's /etc/squirrelmail/config.php configuration file. Users of squirrelmail should upgrade to this updated package, which contains backported patches to correct these issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 67786
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67786
    title Oracle Linux 3 / 4 / 5 : squirrelmail (ELSA-2009-0010)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2009-001.NASL
    description The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have Security Update 2009-001 applied. This security update contains fixes for the following products : - AFP Server - Apple Pixlet Video - CarbonCore - CFNetwork - Certificate Assistant - ClamAV - CoreText - CUPS - DS Tools - fetchmail - Folder Manager - FSEvents - Network Time - perl - Printing - python - Remote Apple Events - Safari RSS - servermgrd - SMB - SquirrelMail - X11 - XTerm
    last seen 2019-02-21
    modified 2018-07-16
    plugin id 35684
    published 2009-02-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35684
    title Mac OS X Multiple Vulnerabilities (Security Update 2009-001)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SQUIRRELMAIL-5978.NASL
    description This update of squirrelmail corrects a problem introduced by a patch for CVE-2008-3663 that caused cookies to be static. (CVE-2009-0030)
    last seen 2019-02-21
    modified 2016-12-27
    plugin id 35598
    published 2009-02-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35598
    title openSUSE 10 Security Update : squirrelmail (squirrelmail-5978)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20090112_SQUIRRELMAIL_ON_SL3_X.NASL
    description Ivan Markovic discovered a cross-site scripting (XSS) flaw in SquirrelMail caused by insufficient HTML mail sanitization. A remote attacker could send a specially crafted HTML mail or attachment that could cause a user's Web browser to execute a malicious script in the context of the SquirrelMail session when that email or attachment was opened by the user. (CVE-2008-2379) It was discovered that SquirrelMail allowed cookies over insecure connections (ie did not restrict cookies to HTTPS connections). An attacker who controlled the communication channel between a user and the SquirrelMail server, or who was able to sniff the user's network communication, could use this flaw to obtain the user's session cookie, if a user made an HTTP request to the server. (CVE-2008-3663) Note: After applying this update, all session cookies set for SquirrelMail sessions started over HTTPS connections will have the 'secure' flag set. That is, browsers will only send such cookies over an HTTPS connection. If needed, you can revert to the previous behavior by setting the configuration option '$only_secure_cookies' to 'false' in SquirrelMail's /etc/squirrelmail/config.php configuration file.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 60519
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60519
    title Scientific Linux Security Update : squirrelmail on SL3.x, SL4.x, SL5.x i386/x86_64
  • NASL family CGI abuses
    NASL id SQUIRRELMAIL_INSECURE_HTTPS_COOKIE.NASL
    description The version of SquirrelMail installed on the remote host does not set the 'secure' flag for session cookies established when communicating over SSL / TLS. This could lead to disclosure of those cookies if a user issues a request to a host in the same domain over HTTP (as opposed to HTTPS).
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 35661
    published 2009-02-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35661
    title SquirrelMail HTTPS Session Cookie Secure Flag Weakness
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2008-8559.NASL
    description rebase to 1.4.16 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-21
    plugin id 34479
    published 2008-10-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=34479
    title Fedora 9 : squirrelmail-1.4.16-1.fc9 (2008-8559)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SQUIRRELMAIL-5792.NASL
    description Squirrelmail was updated to use the secure flag for its cookies. Otherwise it was possible to hijack a SSL-protected session via leaked cookies. (CVE-2008-3663) The previous update for the problem above contained a typo which broke squirrelmail.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 34848
    published 2008-11-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=34848
    title openSUSE 10 Security Update : squirrelmail (squirrelmail-5792)
oval via4
accepted 2013-04-29T04:06:36.641-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
family unix
id oval:org.mitre.oval:def:10548
status accepted
submitted 2010-07-09T03:56:16-04:00
title Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
version 24
redhat via4
advisories
bugzilla
id 473877
title CVE-2008-2379 squirrelmail: XSS issue caused by an insufficient html mail sanitation
oval
OR
  • AND
    • comment Red Hat Enterprise Linux 3 is installed
      oval oval:com.redhat.rhsa:tst:20060015001
    • comment squirrelmail is earlier than 0:1.4.8-8.el3
      oval oval:com.redhat.rhsa:tst:20090010002
    • comment squirrelmail is signed with Red Hat master key
      oval oval:com.redhat.rhsa:tst:20070022003
  • AND
    • comment Red Hat Enterprise Linux 4 is installed
      oval oval:com.redhat.rhsa:tst:20060016001
    • comment squirrelmail is earlier than 0:1.4.8-5.el4_7.2
      oval oval:com.redhat.rhsa:tst:20090010005
    • comment squirrelmail is signed with Red Hat master key
      oval oval:com.redhat.rhsa:tst:20070022003
  • AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhsa:tst:20070055001
    • comment squirrelmail is earlier than 0:1.4.8-5.el5_2.2
      oval oval:com.redhat.rhsa:tst:20090010007
    • comment squirrelmail is signed with Red Hat redhatrelease key
      oval oval:com.redhat.rhsa:tst:20070358008
rhsa
id RHSA-2009:0010
released 2009-01-12
severity Moderate
title RHSA-2009:0010: squirrelmail security update (Moderate)
rpms
  • squirrelmail-0:1.4.8-8.el3
  • squirrelmail-0:1.4.8-5.el4_7.2
  • squirrelmail-0:1.4.8-5.el5_2.2
refmap via4
apple APPLE-SA-2009-02-12
bid 31321
bugtraq 20080922 Squirrelmail: Session hijacking vulnerability, CVE-2008-3663
confirm
misc http://int21.de/cve/CVE-2008-3663-squirrelmail.html
secunia 33937
sreason 4304
suse
  • SUSE-SR:2008:028
  • SUSE-SR:2009:004
xf squirrelmail-cookie-session-hijacking(45700)
statements via4
contributor Tomas Hoger
lastmodified 2009-01-12
organization Red Hat
statement This issue has been fixed in the affected Red Hat Enterprise Linux versions via: https://rhn.redhat.com/errata/RHSA-2009-0010.html
Last major update 21-08-2010 - 01:23
Published 24-09-2008 - 10:56
Last modified 11-10-2018 - 16:49
Back to Top