ISS X-Force Database: squirrelmail-cookie-session-hijacking(45700): Squirrelmail cookie session hijacking

Squirrelmail cookie session hijacking

squirrelmail-cookie-session-hijacking (45700)

Medium Risk

Description:

Squirrelmail could allow a remote attacker to hijack a valid user's session, caused by the improper handling of insecure cookies. By persuading a victim to visit a Web site that fails to set session cookies with a secure flag, a remote attacker could exploit this vulnerability to hijack the victim's HTTP session and possibly launch further attacks on the vulnerable system.

Consequences:

Gain Access

Remedy:

Upgrade to the latest version of SquirrelMail (1.4.16 or later), available from the SquirrelMail Web site. See References.

For other distributions:
Apply the appropriate update for your system. See References.

References:

Apple Web site: About the security content of Security Update 2009-001 .
Hanno Boeck Advisories, 2008-09-23: Squirrelmail: Session hijacking vulnerability, CVE-2008-3663.
SquirrelMail Web site: Download Distribution.
ASA-2009-009: squirrelmail security update (RHSA-2009-0010)
BID-31321: SquirrelMail Insecure Cookie Disclosure Weakness
CVE-2008-3663: Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
MDVSA-2009:053: squirrelmail
RHSA-2009-0010: Moderate: squirrelmail security update
SA33937: Apple Mac OS X Security Update Fixes Multiple Vulnerabilities
SUSE-SR:2008:028: SUSE Security Summary Report
SUSE-SR:2009:004: SUSE Security Summary Report

Platforms Affected:

Apple Mac OS X Server 10.4.11
Apple Mac OS X Server 10.5.6
MandrakeSoft Mandrake Linux Corporate Server 4.0
MandrakeSoft Mandrake Linux Corporate Server 4.0 X86_64
RedHat Enterprise Linux 3 Desktop
RedHat Enterprise Linux 3 AS
RedHat Enterprise Linux 3 WS
RedHat Enterprise Linux 3 ES
RedHat Enterprise Linux 4 ES
RedHat Enterprise Linux 4 Desktop
RedHat Enterprise Linux 4 AS
RedHat Enterprise Linux 4 WS
RedHat Enterprise Linux 4.7.z AS
RedHat Enterprise Linux 5 Client Workstation
RedHat Enterprise Linux 5
RedHat Enterprise Linux 5.2.z EUS
RedHat Red Hat Enterprise Linux 4.7.z ES
SquirrelMail SquirrelMail 1.4.15

Reported:

Sep 23, 2008

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page