thr3ads.net - Secure testing team - [Secure-testing-team] Bug#543818: CVE-2009-2964: Multiple cross-site request forgery (CSRF) vulnerabilities [Aug 2009]

If this information is useful, please help other people find it:
Share via:

Giuseppe Iuculano

2009-Aug-27 06:56 UTC

[Secure-testing-team] Bug#543818: CVE-2009-2964: Multiple cross-site request forgery (CSRF) vulnerabilities

Package: squirrelmail
Severity: serious
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for squirrelmail.

CVE-2009-2964[0]:
| Multiple cross-site request forgery (CSRF) vulnerabilities in
| SquirrelMail 1.4.19 and earlier allow remote attackers to hijack the
| authentication of unspecified victims via features such as send
| message and change preferences, related to (1)
| functions/mailbox_display.php, (2) src/addrbook_search_html.php, (3)
| src/addressbook.php, (4) src/compose.php, (5) src/folders.php, (6)
| src/folders_create.php, (7) src/folders_delete.php, (8)
| src/folders_rename_do.php, (9) src/folders_rename_getname.php, (10)
| src/folders_subscribe.php, (11) src/move_messages.php, (12)
| src/options.php, (13) src/options_highlight.php, (14)
| src/options_identities.php, (15) src/options_order.php, (16)
| src/search.php, and (17) src/vcard.php.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2964
    http://security-tracker.debian.net/tracker/CVE-2009-2964

Cheers,
Giuseppe

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqWLggACgkQNxpp46476aq4qQCfd7xGKycb4zbR7luKUQdi8UeJ
YiAAnRkV5L1Tw1m62WToOIynC7NVSb1B
=fHbw
-----END PGP SIGNATURE-----

Secure testing team - Aug 2009 - Bug#543818: CVE-2009-2964: Multiple cross-site request forgery (CSRF) vulnerabilities

[Secure-testing-team] Bug#543818: CVE-2009-2964: Multiple cross-site request forgery (CSRF) vulnerabilities