CVE-2008-3663 - Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which c

CVE-2008-3663

Summary

Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.

References

Vulnerable Configurations

cpe:2.3:a:squirrelmail:squirrelmail:1.4.15:*:*:*:*:*:*:*
cpe:2.3:a:squirrelmail:squirrelmail:1.4.15:*:*:*:*:*:*:*

CVSS

Base:	5.0 (as of 11-10-2018 - 20:49)
Impact:
Exploitability:

CWE

CWE-310

CAPEC

Signature Spoofing by Key Recreation
An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	NONE	NONE

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:N/A:N

oval via4

accepted

2013-04-29T04:06:36.641-04:00

class

vulnerability

contributors

name Aharon Chernin
organization SCAP.com, LLC
name Dragos Prisaca
organization G2, Inc.

definition_extensions

comment The operating system installed on the system is Red Hat Enterprise Linux 3
oval oval:org.mitre.oval:def:11782
comment CentOS Linux 3.x
oval oval:org.mitre.oval:def:16651
comment The operating system installed on the system is Red Hat Enterprise Linux 4
oval oval:org.mitre.oval:def:11831
comment CentOS Linux 4.x
oval oval:org.mitre.oval:def:16636
comment Oracle Linux 4.x
oval oval:org.mitre.oval:def:15990
comment The operating system installed on the system is Red Hat Enterprise Linux 5
oval oval:org.mitre.oval:def:11414
comment The operating system installed on the system is CentOS Linux 5.x
oval oval:org.mitre.oval:def:15802
comment Oracle Linux 5.x
oval oval:org.mitre.oval:def:15459

description

family

unix

oval:org.mitre.oval:def:10548

status

accepted

submitted

2010-07-09T03:56:16-04:00

title

version

redhat via4

advisories

bugzilla

id	473877
title	CVE-2008-2379 squirrelmail: XSS issue caused by an insufficient html mail sanitation

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 4 is installed
oval oval:com.redhat.rhba:tst:20070304025
comment squirrelmail is earlier than 0:1.4.8-5.el4_7.2
oval oval:com.redhat.rhsa:tst:20090010001
comment squirrelmail is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20060283002

AND

comment Red Hat Enterprise Linux 5 is installed
oval oval:com.redhat.rhba:tst:20070331005
comment squirrelmail is earlier than 0:1.4.8-5.el5_2.2
oval oval:com.redhat.rhsa:tst:20090010004
comment squirrelmail is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20070358005

rhsa

id	RHSA-2009:0010
released	2009-01-12
severity	Moderate
title	RHSA-2009:0010: squirrelmail security update (Moderate)

rpms

squirrelmail-0:1.4.8-5.el4_7.2
squirrelmail-0:1.4.8-5.el5_2.2
squirrelmail-0:1.4.8-8.el3

refmap via4

apple	APPLE-SA-2009-02-12
bid	31321
bugtraq	20080922 Squirrelmail: Session hijacking vulnerability, CVE-2008-3663
confirm	http://support.apple.com/kb/HT3438 http://www.nabble.com/ANNOUNCE:-SquirrelMail-1.4.16-Released-td19711998.html
misc	http://int21.de/cve/CVE-2008-3663-squirrelmail.html
secunia	33937
sreason	4304
suse	SUSE-SR:2008:028 SUSE-SR:2009:004
xf	squirrelmail-cookie-session-hijacking(45700)

statements via4

contributor	Tomas Hoger
lastmodified	2009-01-12
organization	Red Hat
statement	This issue has been fixed in the affected Red Hat Enterprise Linux versions via: https://rhn.redhat.com/errata/RHSA-2009-0010.html

Last major update

11-10-2018 - 20:49

Published

24-09-2008 - 14:56

Last modified

11-10-2018 - 20:49