Please Install the Updated Packages.

SquirrelMail is a standards-based webmail package written in PHP. A server-side code injection flaw was found in the SquirrelMail &quot map_yp_alias&quot function. If SquirrelMail was configured to retrieve a user's IMAP server address from a Network Information Service (NIS) server via the &quot map_yp_alias&quot function, an unauthenticated, remote attacker using a specially-crafted username could use this flaw to execute arbitrary code with the privileges of the web server. (CVE-2009-1579) Multiple cross-site scripting (XSS) flaws were found in SquirrelMail. An attacker could construct a carefully crafted URL, which once visited by an unsuspecting user, could cause the user's web browser to execute malicious script in the context of the visited SquirrelMail web page. (CVE-2009-1578) It was discovered that SquirrelMail did not properly sanitize Cascading Style Sheets (CSS) directives used in HTML mail. A remote attacker could send a specially-crafted email that could place mail content above SquirrelMail's controls, possibly allowing phishing and cross-site scripting attacks. (CVE-2009-1581) Users of squirrelmail should upgrade to this updated package, which contains backported patches to correct these issues.

squirrelmail on CentOS 3

• http://lists.centos.org/pipermail/centos-announce/2009-May/015945.html

---

Updated on 2015-03-25