ID CVE-2008-3663
Summary Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
References
Vulnerable Configurations
  • cpe:2.3:a:squirrelmail:squirrelmail:1.4.15:*:*:*:*:*:*:*
    cpe:2.3:a:squirrelmail:squirrelmail:1.4.15:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 11-10-2018 - 20:49)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:N/A:N
oval via4
accepted 2013-04-29T04:06:36.641-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
family unix
id oval:org.mitre.oval:def:10548
status accepted
submitted 2010-07-09T03:56:16-04:00
title Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
version 24
redhat via4
advisories
bugzilla
id 473877
title CVE-2008-2379 squirrelmail: XSS issue caused by an insufficient html mail sanitation
oval
OR
  • AND
    • comment Red Hat Enterprise Linux 3 is installed
      oval oval:com.redhat.rhba:tst:20070026001
    • comment squirrelmail is earlier than 0:1.4.8-8.el3
      oval oval:com.redhat.rhsa:tst:20090010002
    • comment squirrelmail is signed with Red Hat master key
      oval oval:com.redhat.rhsa:tst:20070022003
  • AND
    • comment Red Hat Enterprise Linux 4 is installed
      oval oval:com.redhat.rhba:tst:20070304001
    • comment squirrelmail is earlier than 0:1.4.8-5.el4_7.2
      oval oval:com.redhat.rhsa:tst:20090010005
    • comment squirrelmail is signed with Red Hat master key
      oval oval:com.redhat.rhsa:tst:20070022003
  • AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhba:tst:20070331001
    • comment squirrelmail is earlier than 0:1.4.8-5.el5_2.2
      oval oval:com.redhat.rhsa:tst:20090010007
    • comment squirrelmail is signed with Red Hat redhatrelease key
      oval oval:com.redhat.rhsa:tst:20070358008
rhsa
id RHSA-2009:0010
released 2009-01-12
severity Moderate
title RHSA-2009:0010: squirrelmail security update (Moderate)
rpms
  • squirrelmail-0:1.4.8-8.el3
  • squirrelmail-0:1.4.8-5.el4_7.2
  • squirrelmail-0:1.4.8-5.el5_2.2
refmap via4
apple APPLE-SA-2009-02-12
bid 31321
bugtraq 20080922 Squirrelmail: Session hijacking vulnerability, CVE-2008-3663
confirm
misc http://int21.de/cve/CVE-2008-3663-squirrelmail.html
secunia 33937
sreason 4304
suse
  • SUSE-SR:2008:028
  • SUSE-SR:2009:004
xf squirrelmail-cookie-session-hijacking(45700)
statements via4
contributor Tomas Hoger
lastmodified 2009-01-12
organization Red Hat
statement This issue has been fixed in the affected Red Hat Enterprise Linux versions via: https://rhn.redhat.com/errata/RHSA-2009-0010.html
Last major update 11-10-2018 - 20:49
Published 24-09-2008 - 14:56
Back to Top