Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2009-0030

Overview

Vulnerability Score 6.5 6.5
CVE Id CVE-2009-0030
Last Modified 21 Aug 2010 01:29:35
Published 21 Jan 2009 03:30:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication SINGLE_INSTANCE

CVE-2009-0030

Summary

A certain Red Hat patch for SquirrelMail 1.4.8 sets the same SQMSESSID cookie value for all sessions, which allows remote authenticated users to access other users' folder lists and configuration data in opportunistic circumstances by using the standard webmail.php interface. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3663.

Vulnerable Systems

Application

  • Squirrelmail 1.4.8


References

REDHAT - RHSA-2009:0057

CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=480488

CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=480224

XF - squirrelmail-sessionid-session-hijacking(48115)

BID - 33354

SECTRACK - 1021611

SECUNIA - 33611

SUSE - SUSE-SR:2009:004

Related Patches

Red Hat 2009:0057-03 RHSA Important: squirrelmail security update for RHEL 5 x86

Novell SUSE 2009:6563 firefox35upgrade security update for SLE 10 SP3 i586


Last Updated: 27 May 2016 10:49:33