CVE-2009-2964: SquirrelMail CSRF Vulnerability Advisory

Vulnerability Key Information Bug ID: Bug 517312 CVE ID: CVE-2009-2964 Vulnerability Type: CSRF (Cross-Site Request Forgery) Affected Software: SquirrelMail Affected Versions: 1.4.19-2.fc10 and earlier Fix: Upgrade to 1.4.19-2.fc11 or newer Fix Date: 2009-08-20 Affected Systems: Fedora 10, Fedora 11 Security Advisory: RHSA-2009:1490 Vulnerability Overview SquirrelMail does not implement protection against Cross-Site Request Forgery (CSRF) attacks. Malicious users can exploit this vulnerability to perform unauthorized actions, such as changing user preferences, deleting emails, or even sending emails on behalf of the user when they visit a malicious webpage. Specific Affected Scripts Multiple features in SquirrelMail 1.4.19 and earlier are vulnerable to CSRF attacks, including email sending and preference modification. The affected scripts include: 1. mailbox_display.php 2. src/addbook_search_html.php 3. src/addressbook.php 4. src/compose.php 5. src/folders.php 6. src/folders_create.php 7. src/folders_delete.php 8. src/folders_rename.php 9. src/folders_rename_getname.php 10. src/folders_subscribe.php 11. src/move_messages.php 12. src/options.php 13. src/options_highlight.php 14. src/options_identities.php 15. src/options_order.php 16. src/search.php 17. src/vcard.php

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2009-2964: SquirrelMail CSRF Vulnerability Advisory