CVE-2006-0195
CVSS4.3
发布时间 :2006-02-23 19:02:00
修订时间 :2011-03-07 21:29:33
NMCOPS    

[原文]Interpretation conflict in the MagicHTML filter in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via style sheet specifiers with invalid (1) "/*" and "*/" comments, or (2) a newline in a "url" specifier, which is processed by certain web browsers including Internet Explorer.


[CNNVD]SquirrelMail IMAP/SMTP命令注入漏洞(CNNVD-200602-350)

        SquirrelMail是一款流行的基于WEB的邮件服务程序。
        SquirrelMail提供了通过IMAP和SMTP协议与邮件服务器交互的图形界面。在正常使用这些应用的时候,SquirrelMail没有正确的验证传输给邮件服务器的命令和信息,这允许恶意的认证用户在通讯过程中使用SquirrelMail Webmail前端的sqimap_mailbox_select命令参数向邮件服务器注入任意IMAP/SMTP命令。

- CVSS (基础分值)

CVSS分值: 4.3 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:squirrelmail:squirrelmail:1.4.6_rc1
cpe:/a:squirrelmail:squirrelmail:1.4.3a
cpe:/a:squirrelmail:squirrelmail:1.4.4
cpe:/a:squirrelmail:squirrelmail:1.4_rc1
cpe:/a:squirrelmail:squirrelmail:1.4.3_r3
cpe:/a:squirrelmail:squirrelmail:1.4.4_rc1
cpe:/a:squirrelmail:squirrelmail:1.4.1
cpe:/a:squirrelmail:squirrelmail:1.4.3_rc1
cpe:/a:squirrelmail:squirrelmail:1.4.3
cpe:/a:squirrelmail:squirrelmail:1.4.2
cpe:/a:squirrelmail:squirrelmail:1.4
cpe:/a:squirrelmail:squirrelmail:1.4.5

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:9548Interpretation conflict in the MagicHTML filter in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to conduct cross-site scripting (XSS)...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0195
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0195
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200602-350
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/24848
(UNKNOWN)  XF  squirrelmail-magichtml-xss(24848)
http://www.vupen.com/english/advisories/2006/0689
(UNKNOWN)  VUPEN  ADV-2006-0689
http://www.squirrelmail.org/security/issue/2006-02-10
(UNKNOWN)  CONFIRM  http://www.squirrelmail.org/security/issue/2006-02-10
http://www.securityfocus.com/bid/16756
(UNKNOWN)  BID  16756
http://securitytracker.com/id?1015662
(UNKNOWN)  SECTRACK  1015662
http://secunia.com/advisories/18985
(VENDOR_ADVISORY)  SECUNIA  18985
http://www.redhat.com/support/errata/RHSA-2006-0283.html
(UNKNOWN)  REDHAT  RHSA-2006:0283
http://www.redhat.com/archives/fedora-announce-list/2006-March/msg00004.html
(UNKNOWN)  FEDORA  FEDORA-2006-133
http://www.novell.com/linux/security/advisories/2006_05_sr.html
(UNKNOWN)  SUSE  SUSE-SR:2006:005
http://www.mandriva.com/security/advisories?name=MDKSA-2006:049
(UNKNOWN)  MANDRIVA  MDKSA-2006:049
http://www.gentoo.org/security/en/glsa/glsa-200603-09.xml
(UNKNOWN)  GENTOO  GLSA-200603-09
http://www.debian.org/security/2006/dsa-988
(UNKNOWN)  DEBIAN  DSA-988
http://secunia.com/advisories/20210
(UNKNOWN)  SECUNIA  20210
http://secunia.com/advisories/19960
(UNKNOWN)  SECUNIA  19960
http://secunia.com/advisories/19205
(UNKNOWN)  SECUNIA  19205
http://secunia.com/advisories/19176
(UNKNOWN)  SECUNIA  19176
http://secunia.com/advisories/19131
(UNKNOWN)  SECUNIA  19131
http://secunia.com/advisories/19130
(UNKNOWN)  SECUNIA  19130
ftp://patches.sgi.com/support/free/security/advisories/20060501-01-U.asc
(UNKNOWN)  SGI  20060501-01-U

- 漏洞信息

SquirrelMail IMAP/SMTP命令注入漏洞
中危 跨站脚本
2006-02-23 00:00:00 2006-02-24 00:00:00
远程  
        SquirrelMail是一款流行的基于WEB的邮件服务程序。
        SquirrelMail提供了通过IMAP和SMTP协议与邮件服务器交互的图形界面。在正常使用这些应用的时候,SquirrelMail没有正确的验证传输给邮件服务器的命令和信息,这允许恶意的认证用户在通讯过程中使用SquirrelMail Webmail前端的sqimap_mailbox_select命令参数向邮件服务器注入任意IMAP/SMTP命令。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接
        http://www.squirrelmail.org/security/issue/2006-02-15

- 漏洞信息 (F44579)

Gentoo Linux Security Advisory 200603-9 (PacketStormID:F44579)
2006-03-13 00:00:00
Gentoo  security.gentoo.org
advisory,php,imap,xss
linux,gentoo
CVE-2006-0188,CVE-2006-0195,CVE-2006-0377
[点击下载]

Gentoo Linux Security Advisory GLSA 200603-09 - SquirrelMail does not validate the right_frame parameter in webmail.php, possibly allowing frame replacement or cross-site scripting. Martijn Brinkers and Scott Hughes discovered that MagicHTML fails to handle certain input correctly, potentially leading to cross-site scripting. Vicente Aguilera reported that the sqimap_mailbox_select function did not strip newlines from the mailbox or subject parameter, possibly allowing IMAP command injection. Versions less than 1.4.6 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200603-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Low
     Title: SquirrelMail: Cross-site scripting and IMAP command
            injection
      Date: March 12, 2006
      Bugs: #123781
        ID: 200603-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

SquirrelMail is vulnerable to several cross-site scripting
vulnerabilities and IMAP command injection.

Background
==========

SquirrelMail is a webmail package written in PHP. It supports IMAP and
SMTP protocols.

Affected packages
=================

    -------------------------------------------------------------------
     Package                   /  Vulnerable  /             Unaffected
    -------------------------------------------------------------------
  1  mail-client/squirrelmail       < 1.4.6                   >= 1.4.6

Description
===========

SquirrelMail does not validate the right_frame parameter in
webmail.php, possibly allowing frame replacement or cross-site
scripting (CVE-2006-0188). Martijn Brinkers and Scott Hughes discovered
that MagicHTML fails to handle certain input correctly, potentially
leading to cross-site scripting (only Internet Explorer,
CVE-2006-0195). Vicente Aguilera reported that the
sqimap_mailbox_select function did not strip newlines from the mailbox
or subject parameter, possibly allowing IMAP command injection
(CVE-2006-0377).

Impact
======

By exploiting the cross-site scripting vulnerabilities, an attacker can
execute arbitrary scripts running in the context of the victim's
browser. This could lead to a compromise of the user's webmail account,
cookie theft, etc. A remote attacker could exploit the IMAP command
injection to execute arbitrary IMAP commands on the configured IMAP
server.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All SquirrelMail users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=mail-client/squirrelmail-1.4.6"

Note: Users with the vhosts USE flag set should manually use
webapp-config to finalize the update.

References
==========

  [ 1 ] CVE-2006-0188
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0188
  [ 2 ] CVE-2006-0195
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0195
  [ 3 ] CVE-2006-0377
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0377

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200603-09.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0
    

- 漏洞信息

23385
SquirrelMail MagicHTML Style Sheet Comment Filter Bypass

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-02-10 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 1.4.6 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

SquirrelMail Multiple Cross-Site Scripting and IMAP Injection Vulnerabilities
Input Validation Error 16756
Yes No
2006-02-21 12:00:00 2006-12-15 10:53:00
Scott Hughes reported the MagicHTML cross-site scripting issue to the vendor. Vicente Aguilera reported the IMAP injection issue. The vendor disclosed the 'webmail.php' cross-site scripting issue.

- 受影响的程序版本

SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
SquirrelMail SquirrelMail 1.4.8
SquirrelMail SquirrelMail 1.4.6 -rc1
SquirrelMail SquirrelMail 1.4.5
+ MandrakeSoft Corporate Server 3.0 x86_64
+ MandrakeSoft Corporate Server 3.0
+ MandrakeSoft Corporate Server 3.0
+ MandrakeSoft Corporate Server 3.0
SquirrelMail SquirrelMail 1.4.4 RC1
SquirrelMail SquirrelMail 1.4.4
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
+ Debian Linux 3.1
+ Debian Linux 3.1
+ Gentoo Linux
+ Gentoo Linux
+ Gentoo Linux
SquirrelMail SquirrelMail 1.4.3 RC1
SquirrelMail SquirrelMail 1.4.3 r3
+ Gentoo Linux
SquirrelMail SquirrelMail 1.4.3 a
+ Conectiva Linux 9.0
+ Red Hat Fedora Core3
+ Red Hat Fedora Core3
+ Red Hat Fedora Core3
+ Red Hat Fedora Core2
+ Red Hat Fedora Core2
SquirrelMail SquirrelMail 1.4.3
SquirrelMail SquirrelMail 1.4.2
+ MandrakeSoft Corporate Server 3.0 x86_64
+ MandrakeSoft Corporate Server 3.0
+ MandrakeSoft Corporate Server 3.0
+ MandrakeSoft Corporate Server 3.0
+ Red Hat Fedora Core2
+ Red Hat Fedora Core2
+ Red Hat Fedora Core2
SquirrelMail SquirrelMail 1.4.1
SquirrelMail SquirrelMail 1.4 RC1
SquirrelMail SquirrelMail 1.4
SquirrelMail SquirrelMail 1.2.11
SquirrelMail SquirrelMail 1.2.10
SquirrelMail SquirrelMail 1.2.9
SquirrelMail SquirrelMail 1.2.8
+ Terra Soft Solutions Yellow Dog Linux 3.0
SquirrelMail SquirrelMail 1.2.7
+ RedHat Linux 8.0
SquirrelMail SquirrelMail 1.2.6
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ Debian Linux 3.0
SquirrelMail SquirrelMail 1.2.5
SquirrelMail SquirrelMail 1.2.4
SquirrelMail SquirrelMail 1.2.3
SquirrelMail SquirrelMail 1.2.2
SquirrelMail SquirrelMail 1.2.1
SquirrelMail SquirrelMail 1.2 .0
SquirrelMail SquirrelMail 1.0.5
SquirrelMail SquirrelMail 1.0.4
SGI ProPack 3.0 SP6
S.u.S.E. SuSE Linux Standard Server 8.0
S.u.S.E. SuSE Linux School Server for i386
S.u.S.E. SUSE LINUX Retail Solution 8.0
S.u.S.E. SuSE Linux Openexchange Server 4.0
S.u.S.E. Open-Enterprise-Server 9.0
S.u.S.E. Novell Linux Desktop 9.0
S.u.S.E. Linux Professional 10.0 OSS
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Professional 9.1 x86_64
S.u.S.E. Linux Professional 9.1
S.u.S.E. Linux Professional 9.0 x86_64
S.u.S.E. Linux Professional 9.0
S.u.S.E. Linux Professional 8.2
S.u.S.E. Linux Personal 10.0 OSS
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux Desktop 1.0
RedHat Linux 9.0 i386
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux ES 3
RedHat Desktop 4.0
RedHat Desktop 3.0
Red Hat Fedora Core4
Red Hat Fedora Core3
Red Hat Fedora Core2
Red Hat Fedora Core1
Red Hat Enterprise Linux AS 4
Red Hat Enterprise Linux AS 3
Gentoo Linux
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
Debian Linux 3.0 sparc
Debian Linux 3.0 s/390
Debian Linux 3.0 ppc
Debian Linux 3.0 mipsel
Debian Linux 3.0 mips
Debian Linux 3.0 m68k
Debian Linux 3.0 ia-64
Debian Linux 3.0 ia-32
Debian Linux 3.0 hppa
Debian Linux 3.0 arm
Debian Linux 3.0 alpha
Debian Linux 3.0
SquirrelMail SquirrelMail 1.4.6 -cvs

- 不受影响的程序版本

SquirrelMail SquirrelMail 1.4.6 -cvs

- 漏洞讨论

SquirrelMail is susceptible to multiple cross-site scripting and IMAP-injection vulnerabilities. These issues are due to the application's failure to properly sanitize user-supplied input.

An attacker may leverage any of the cross-site scripting issues to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.

An attacker may leverage the IMAP-injection issue to execute arbitrary IMAP commands on the configured IMAP server. This may aid attackers in further attacks and allow them to exploit latent vulnerabilities in the IMAP server.

- 漏洞利用

An exploit is not required to carry out these attacks.

- 解决方案

The vendor has committed fixes to the SquirrelMail CVS repository. Snapshots of the current development version are available from the vendor. For more information on obtaining fixed versions, please contact the vendor.

See the referenced vendor advisories for more information.


SquirrelMail SquirrelMail 1.2.10

SquirrelMail SquirrelMail 1.2.6

SquirrelMail SquirrelMail 1.4

SquirrelMail SquirrelMail 1.4.2

SquirrelMail SquirrelMail 1.4.3 a

SquirrelMail SquirrelMail 1.4.4

SquirrelMail SquirrelMail 1.4.5

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站