FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  351541
Date:      2014-04-18
Time:      14:56:43Z
Committer: ohauer

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
a0afb4b9-89a1-11dd-a65b-00163e000016squirrelmail -- Session hijacking vulnerability

Hanno Boeck reports:

When configuring a web application to use only ssl (e.g. by forwarding all http-requests to https), a user would expect that sniffing and hijacking the session is impossible.

Though, for this to be secure, one needs to set the session cookie to have the secure flag. Otherwise the cookie will be transferred through HTTP if the victim's browser does a single HTTP request on the same domain.

Squirrelmail does not set that flag. It is fixed in the 1.5 test versions, but current 1.4.15 is vulnerable.


Discovery 2008-08-12
Entry 2008-09-23
squirrelmail
le 1.4.15_1

31321
CVE-2008-3663
http://seclists.org/bugtraq/2008/Sep/0239.html
d1ce8a4f-c235-11dd-8cbc-00163e000016squirrelmail -- Cross site scripting vulnerability

Squirrelmail team reports:

An issue was fixed that allowed an attacker to send specially- crafted hyperlinks in a message that could execute cross-site scripting (XSS) when the user viewed the message in SquirrelMail.


Discovery 2008-12-03
Entry 2008-12-04
squirrelmail
lt 1.4.17

CVE-2008-2379
http://secunia.com/Advisories/32143/
http://sourceforge.net/project/shownotes.php?release_id=644750&group_id=311
a0afb4b9-89a1-11dd-a65b-00163e000016squirrelmail -- Session hijacking vulnerability

Hanno Boeck reports:

When configuring a web application to use only ssl (e.g. by forwarding all http-requests to https), a user would expect that sniffing and hijacking the session is impossible.

Though, for this to be secure, one needs to set the session cookie to have the secure flag. Otherwise the cookie will be transferred through HTTP if the victim's browser does a single HTTP request on the same domain.

Squirrelmail does not set that flag. It is fixed in the 1.5 test versions, but current 1.4.15 is vulnerable.


Discovery 2008-08-12
Entry 2008-09-23
squirrelmail
le 1.4.15_1

31321
CVE-2008-3663
http://seclists.org/bugtraq/2008/Sep/0239.html
d1ce8a4f-c235-11dd-8cbc-00163e000016squirrelmail -- Cross site scripting vulnerability

Squirrelmail team reports:

An issue was fixed that allowed an attacker to send specially- crafted hyperlinks in a message that could execute cross-site scripting (XSS) when the user viewed the message in SquirrelMail.


Discovery 2008-12-03
Entry 2008-12-04
squirrelmail
lt 1.4.17

CVE-2008-2379
http://secunia.com/Advisories/32143/
http://sourceforge.net/project/shownotes.php?release_id=644750&group_id=311