Security

NOTE: If you are looking to contact us regarding spam supposedly sent by SquirrelMail, please read this explanation of why we are not related to this scam.

If you want to contact us regarding lost password, not being able to login or other problems with your mail account, please go to our end user information.

---

The SquirrelMail Project takes security very seriously. If you think you've discovered a security-related issue in SquirrelMail, please contact us directly at security-2009 <at> squirrelmail.org. We will do out best to work with you towards a solution as quickly as possible and of course give credit where it is due.

Below you will find a list of know issues in past SquirrelMail version. A legend of the columns is below the table.

Date	Issue	Versions Affected	RG	CVE id's
2009-05-12	CSS positioning vulnerability	<= 1.4.17	0	CVE-2009-1581
2009-05-11	Session fixation vulnerability	<= 1.4.17	0	CVE-2009-1580
2009-05-10	Server-side code injection in map_yp_alias username map	<= 1.4.18	0	CVE-2009-1579, CVE-2009-1381
2009-05-09	Cross site scripting issues in decrypt_headers.php	<= 1.4.17	0	CVE-2009-1578
2009-05-08	Multiple cross site scripting issues	<= 1.4.17	0	CVE-2009-1578
2008-12-04	Cross site scripting in HTML filter	1.4.0 - 1.4.16	0	CVE-2008-2379
2008-09-28	Cookies for SSL connection could be sent over non-SSL	1.4.0 - 1.4.15	0	CVE-2008-3663
2007-12-13	1.4.12 and 1.4.11 Package Compromise	1.4.11&12	0	CVE-2007-6348
2007-05-09	Cross site scripting in HTML filter	1.4.0-1.4.9a	0	CVE-2007-1262,CVE-2007-2589
2006-12-03	Workaround for Internet Explorer MIME handling	IE	0
2006-12-02	Cross site scripting in compose, draft & HTML mail viewing	1.4.0 - 1.4.9	0	CVE-2006-6142
2006-08-11	Variable overwriting in compose.php	1.4.0 - 1.4.7	0	CVE-2006-4019
2006-06-22	Disputed: search.php cross site scripting	none	1	CVE-2006-3174
2006-06-01	Local file inclusion	<= 1.4.6	1	CVE-2006-2842
2006-02-15	IMAP injection in sqimap_mailbox_select mailbox parameter	<= 1.4.5	0	CVE-2006-0377
2006-02-10	Possible XSS in MagicHTML (IE only)	<= 1.4.5	0	CVE-2006-0195
2006-02-01	Possible XSS through right_frame parameter in webmail.php	<= 1.4.5	0	CVE-2006-0188
2005-07-13	$_POST variable handling in options_identites allows for different attacks	<= 1.4.5-RC1	1	CVE-2005-2095
2005-06-15	Several cross site scripting vulnerabilities	<= 1.4.4	0	CVE-2005-1769
2005-01-20	XSS vulnerability in webmail.php	<= 1.4.4-RC1	0	CVE-2005-0104
2005-01-19	Frame content changing in webmail.php	<= 1.4.4-RC1	0	CVE-2005-0103
2005-01-14	Local file inclusions in prefs.php	1.4.3-RC1 - 1.4.4-RC1	1	CVE-2005-0075
2004-11-10	XSS vulnerability in decodeHeader()	<= 1.4.3a	0	CVE-2004-1036
2004-05-30	XSS vulnerability in Content-Type display in read_body	<= 1.4.3-RC1	0
2004-05-10	SQL injection vulnerability in addressbook	<= 1.4.2	0	CVE-2004-0521
2004-05-01	Multiple XSS vulnerabilities	<= 1.4.2	0	CVE-2004-0519, CVE-2004-0520
2004-04-03	XSS vulnerability in incoming email headers	<= 1.4.0-RC2a	0
2004-04-01	XSS vulnerability when replying to malicious sources	<= 1.4.0-RC2a	0

News

Donations

About

Support

Screen shots

Download

Plugins

Documentation

Sponsors

Bounties