Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:20562
HistorySep 24, 2008 - 12:00 a.m.

Squirrelmail: Session hijacking vulnerability, CVE-2008-3663

2008-09-2400:00:00
vulners.com
36
JSON

Squirrelmail: Session hijacking vulnerability, CVE-2008-3663

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3663
http://int21.de/cve/CVE-2008-3663-squirrelmail.html
http://enablesecurity.com/2008/08/11/surf-jack-https-will-not-save-you/
https://www.defcon.org/html/defcon-16/dc-16-speakers.html#Perry

Description

When configuring a web application to use only ssl (e. g. by forwarding all
http-requests to https), a user would expect that sniffing and hijacking the
session is impossible.

Though, for this to be secure, one needs to set the session cookie to have the
secure flag. Else the cookie will be transferred through http if the victim's
browser does a single http-request on the same domain.

Squirrelmail does not set that flag. It is fixed in the 1.5 test versions, but
current 1.4.15 is vulnerable.

Disclosure Timeline

2008-08-12: Vendor contacted
2008-09-23 Published advisory

Credits and copyright

This vulnerability was discovered by Hanno Boeck of schokokeks.org webhosting.
It's licensed under the creative commons attribution license.

Hanno Boeck, http://www.hboeck.de

Hanno Bock Blog: http://www.hboeck.de/
GPG: 3DBD3B20 Jabber/Mail: [email protected]

Related

nessus 14
openvas 27
fedora 6
veracode 1
freebsd 1
prion 2
cve 2
seebug 2
redhat 1
oraclelinux 2
ubuntucve 2
centos 1
securityvulns 1
nessus
nessus
Fedora 9 : squirrelmail-1.4.16-1.fc9 (2008-8559)
2008-10-24 00:00:00
FreeBSD : squirrelmail -- Session hijacking vulnerability (a0afb4b9-89a1-11dd-a65b-00163e000016)
2008-09-24 00:00:00
openSUSE 10 Security Update : squirrelmail (squirrelmail-5778)
2008-11-18 00:00:00
openvas
openvas
Fedora Update for squirrelmail FEDORA-2008-8559
2009-02-17 00:00:00
FreeBSD Ports: squirrelmail
2008-09-24 00:00:00
Mandrake Security Advisory MDVSA-2009:053 (squirrelmail)
2009-03-02 00:00:00
fedora
fedora
[SECURITY] Fedora 9 Update: squirrelmail-1.4.16-1.fc9
2008-10-23 16:35:48
[SECURITY] Fedora 9 Update: squirrelmail-1.4.17-1.fc9
2008-12-07 04:13:16
[SECURITY] Fedora 8 Update: squirrelmail-1.4.16-1.fc8
2008-10-24 23:48:16
veracode
veracode
Information Disclosure
2020-04-10 00:36:07
freebsd
freebsd
squirrelmail -- Session hijacking vulnerability
2008-08-12 00:00:00
prion
prion
Design/Logic Flaw
2008-09-24 14:56:00
Design/Logic Flaw
2009-01-21 20:30:00
cve
cve
CVE-2008-3663
2008-09-24 14:56:00
CVE-2009-0030
2009-01-21 20:30:00
seebug
seebug
SquirrelMail不安全COOKE泄漏漏洞
2008-09-25 00:00:00
SquirrelMail软件包会话处理绕过认证漏洞
2009-02-19 00:00:00
redhat
redhat
(RHSA-2009:0010) Moderate: squirrelmail security update
2009-01-12 00:00:00
oraclelinux
oraclelinux
squirrelmail security update
2009-01-12 00:00:00
squirrelmail security update
2009-01-20 00:00:00
ubuntucve
ubuntucve
CVE-2008-3663
2008-09-24 00:00:00
CVE-2009-0030
2009-01-21 00:00:00
centos
centos
squirrelmail security update
2009-01-12 15:25:30
securityvulns
securityvulns
Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
2008-09-24 00:00:00
JSON
Related for SECURITYVULNS:DOC:20562
nessus14openvas27fedora6veracode1freebsd1prion2cve2seebug2redhat1oraclelinux2ubuntucve2centos1securityvulns1