FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

squirrelmail -- Session hijacking vulnerability

Affected packages
squirrelmail <= 1.4.15_1

Details

VuXML ID a0afb4b9-89a1-11dd-a65b-00163e000016
Discovery 2008-08-12
Entry 2008-09-23

Hanno Boeck reports:

When configuring a web application to use only ssl (e.g. by forwarding all http-requests to https), a user would expect that sniffing and hijacking the session is impossible.

Though, for this to be secure, one needs to set the session cookie to have the secure flag. Otherwise the cookie will be transferred through HTTP if the victim's browser does a single HTTP request on the same domain.

Squirrelmail does not set that flag. It is fixed in the 1.5 test versions, but current 1.4.15 is vulnerable.

References

Bugtraq ID 31321
CVE Name CVE-2008-3663
Message http://seclists.org/bugtraq/2008/Sep/0239.html