Vulnerability   
Search   
    Search 219043 CVE descriptions
and 99761 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.67563
Category:Mandrake Local Security Checks
Title:Mandriva Security Advisory MDVSA-2010:120 (squirrelmail)
Summary:NOSUMMARY
Description:Description:
The remote host is missing an update to squirrelmail
announced via advisory MDVSA-2010:120.

A vulnerability was reported in the SquirrelMail Mail Fetch plugin,
wherein (when the plugin is activated by the administrator) a user
is allowed to specify (without restriction) any port number for their
external POP account settings. While the intention is to allow users
to access POP3 servers using non-standard ports, this also allows
malicious users to effectively port-scan any server through their
SquirrelMail service (especially note that when a SquirrelMail server
resides on a network behind a firewall, it may allow the user to
explore the network topography (DNS scan) and services available
(port scan) on the inside of (behind) that firewall). As this
vulnerability is only exploitable post-authentication, and better
more specific port scanning tools are freely available, we consider
this vulnerability to be of very low severity. It has been fixed by
restricting the allowable POP port numbers (with an administrator
configuration override available) (CVE-2010-1637).

The updated packages have been patched to correct this issue.

Affected: Corporate 4.0, Enterprise Server 5.0

Solution:
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

https://secure1.securityspace.com/smysecure/catid.html?in=MDVSA-2010:120
http://www.squirrelmail.org/security/issue/2010-06-21

Risk factor : Medium

CVSS Score:
4.0

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2010-1637
http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html
BugTraq ID: 40291
http://www.securityfocus.com/bid/40291
BugTraq ID: 40307
http://www.securityfocus.com/bid/40307
http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043239.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043258.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043261.html
http://www.mandriva.com/security/advisories?name=MDVSA-2010:120
http://conference.hitb.org/hitbsecconf2010dxb/materials/D1%20-%20Laurent%20Oudot%20-%20Improving%20the%20Stealthiness%20of%20Web%20Hacking.pdf#page=69
http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/plugins/mail_fetch/functions.php?r1=13951&r2=13950&pathrev=13951
http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/plugins/mail_fetch/options.php?r1=13951&r2=13950&pathrev=13951
http://www.openwall.com/lists/oss-security/2010/05/25/3
http://www.openwall.com/lists/oss-security/2010/05/25/9
http://www.openwall.com/lists/oss-security/2010/06/21/1
RedHat Security Advisories: RHSA-2012:0103
http://rhn.redhat.com/errata/RHSA-2012-0103.html
http://secunia.com/advisories/40307
http://www.vupen.com/english/advisories/2010/1535
http://www.vupen.com/english/advisories/2010/1536
http://www.vupen.com/english/advisories/2010/1554
CopyrightCopyright (c) 2010 E-Soft Inc. http://www.securityspace.com

This is only one of 99761 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.




© 1998-2024 E-Soft Inc. All rights reserved.