DSA-1802 squirrelmail -- several vulnerabilities
|ID: oval:org.mitre.oval:def:8413||Date: (C)2009-12-15 (M)2017-10-04|
|Class: PATCH||Family: unix|
Several remote vulnerabilities have been discovered in SquirrelMail, a webmail application. The Common Vulnerabilities and Exposures project identifies the following problems: Cross site scripting was possible through a number of pages which allowed an attacker to steal sensitive session data. Code injection was possible when SquirrelMail was configured to use the map_yp_alias function to authenticate users. This is not the default. It was possible to hijack an active user session by planting a specially crafted cookie into the user's browser. Specially crafted HTML emails could use the CSS positioning feature to place email content over the SquirrelMail user interface, allowing for phishing.