SquirrelMail  
Donations
News
About
Support
Screen shots
Download
Plugins
Documentation
Sponsors
Bounties













Security Notice
Phishing campain
UPDATE YOUR
EMAIL SECURITY
"IUEU"

Security

NOTE: If you're looking to contact us regarding spam supposedly sent by SquirrelMail, please read this explanation of why we are not related to this scam.

If you want to contact us regarding your lost password, not being able to login or other problems with your mail account, please go our end user information.


The SquirrelMail Project takes security very seriously. If you think you've discovered a security-related issue in SquirrelMail, please contact us directly at security-2012 <at> squirrelmail.org. We will do our best to work with you towards a solution as quickly as possible and will of course give all credit where it's due.

Below you will find a list with known issues in past SquirrelMail versions. A legend of the columns is below the table.

DateIssueVersions AffectedRGCVE IDs
2012-03-09 Cross-site scripting vulnerability in the Autocomplete plugin < 3.0 0 CVE-2012-0323
2011-07-12 Clickjacking <= 1.4.21 0 CVE-2010-4554
2011-07-11 Multiple XSS vulnerabilities <= 1.4.21 0 CVE-2010-4555, CVE-2011-2752, CVE-2011-2753
2011-07-10 XSS vulnerability in message display <= 1.4.21 0 CVE-2011-2023
2010-07-23 DoS risk against login page <= 1.4.20 0 CVE-2010-2813
2010-06-21 Mail Fetch plugin as network scanner <= 1.4.20 0 CVE-2010-1637
2009-08-12 CSRF in all forms <= 1.4.19 0 SA34627
2009-05-12 CSS positioning vulnerability <= 1.4.17 0 CVE-2009-1581
2009-05-11 Session fixation vulnerability <= 1.4.17 0 CVE-2009-1580
2009-05-10 Server-side code injection in map_yp_alias username map <= 1.4.18 0 CVE-2009-1579, CVE-2009-1381
2009-05-09 Cross site scripting issues in decrypt_headers.php <= 1.4.17 0 CVE-2009-1578
2009-05-08 Multiple cross site scripting issues <= 1.4.17 0 CVE-2009-1578
2008-12-04 Cross site scripting in HTML filter 1.4.0 - 1.4.16 0 CVE-2008-2379
2008-09-28 Cookies for SSL connection could be sent over non-SSL 1.4.0 - 1.4.15 0 CVE-2008-3663
2007-12-13 1.4.12 and 1.4.11 Package Compromise 1.4.11&12 0 CVE-2007-6348
2007-05-09 Cross site scripting in HTML filter 1.4.0-1.4.9a 0 CVE-2007-1262, CVE-2007-2589
2006-12-03 Workaround for Internet Explorer MIME handling IE 0  
2006-12-02 Cross site scripting in compose, draft & HTML mail viewing 1.4.0 - 1.4.9 0 CVE-2006-6142
2006-08-11 Variable overwriting in compose.php 1.4.0 - 1.4.7 0 CVE-2006-4019
2006-06-22 Disputed: search.php cross site scripting none 1 CVE-2006-3174
2006-06-01 Local file inclusion <= 1.4.6 1 CVE-2006-2842
2006-02-15 IMAP injection in sqimap_mailbox_select mailbox parameter <= 1.4.5 0 CVE-2006-0377
2006-02-10 Possible XSS in MagicHTML (IE only) <= 1.4.5 0 CVE-2006-0195
2006-02-01 Possible XSS through right_frame parameter in webmail.php <= 1.4.5 0 CVE-2006-0188
2005-07-13 $_POST variable handling in options_identites allows for different attacks <= 1.4.5-RC1 1 CVE-2005-2095
2005-06-15 Several cross site scripting vulnerabilities <= 1.4.4 0 CVE-2005-1769
2005-01-20 XSS vulnerability in webmail.php <= 1.4.4-RC1 0 CVE-2005-0104
2005-01-19 Frame content changing in webmail.php <= 1.4.4-RC1 0 CVE-2005-0103
2005-01-14 Local file inclusions in prefs.php 1.4.3-RC1 - 1.4.4-RC1 1 CVE-2005-0075
2004-11-10 XSS vulnerability in decodeHeader() <= 1.4.3a 0 CVE-2004-1036
2004-05-30 XSS vulnerability in Content-Type display in read_body <= 1.4.3-RC1 0  
2004-05-10 SQL injection vulnerability in addressbook <= 1.4.2 0 CVE-2004-0521
2004-05-01 Multiple XSS vulnerabilities <= 1.4.2 0 CVE-2004-0519, CVE-2004-0520
2004-04-03 XSS vulnerability in incoming email headers <= 1.4.0-RC2a 0  
2004-04-01 XSS vulnerability when replying to malicious sources <= 1.4.0-RC2a 0  

The column RG indicates whether the vulnerability only applies to systems that have the PHP register_globals setting turned On, something that is highly discouraged by both PHP and the SquirrelMail team.

CVE IDs are used for cross-referencing security issues between distributions.

This page only lists known issues since the start of the 1.4.0 Stable series.

© 1999-2010 by The SquirrelMail Project Team