CVE 2008-3663
Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
Related bugs and status
CVE-2008-3663 (Candidate) is related to these bugs:
Bug #306536: CVE-2008-2379 insufficient input sanitising
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
306536 | CVE-2008-2379 insufficient input sanitising | squirrelmail (Ubuntu) | Medium | Fix Released | ||
306536 | CVE-2008-2379 insufficient input sanitising | squirrelmail (Ubuntu Dapper) | Medium | Fix Released | ||
306536 | CVE-2008-2379 insufficient input sanitising | squirrelmail (Ubuntu Gutsy) | Medium | Fix Released | ||
306536 | CVE-2008-2379 insufficient input sanitising | squirrelmail (Ubuntu Hardy) | Medium | Fix Released | ||
306536 | CVE-2008-2379 insufficient input sanitising | squirrelmail (Ubuntu Jaunty) | Medium | Fix Released | ||
306536 | CVE-2008-2379 insufficient input sanitising | squirrelmail (Ubuntu Intrepid) | Medium | Fix Released |
Bug #321304: default configuration of squirrelmail-secure-login doesn't work
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
321304 | default configuration of squirrelmail-secure-login doesn't work | squirrelmail-secure-login (Ubuntu) | Undecided | Fix Released |
Bug #328938: CVE-2008-3663 Cookies for SSL connection could be sent over non-SSL
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
328938 | CVE-2008-3663 Cookies for SSL connection could be sent over non-SSL | squirrelmail (Ubuntu) | Undecided | Fix Released | ||
328938 | CVE-2008-3663 Cookies for SSL connection could be sent over non-SSL | squirrelmail (Ubuntu Hardy) | Undecided | Fix Released | ||
328938 | CVE-2008-3663 Cookies for SSL connection could be sent over non-SSL | squirrelmail (Ubuntu Gutsy) | Undecided | Fix Released | ||
328938 | CVE-2008-3663 Cookies for SSL connection could be sent over non-SSL | squirrelmail (Ubuntu Dapper) | Undecided | Fix Released |
See the
CVE page on Mitre.org
for more details.