SquirrelMail  
Donations
News
About
Support
Screen shots
Download
Plugins
Documentation
Sponsors
Bounties













Security Notice
Phishing campain
Version 1.4.15
Security Upgrade

Security

XSS vulnerability in decodeHeader()

Date:
2004-11-10
Description:
There is a cross site scripting issue in the decoding of encoded text in certain headers. SquirrelMail correctly decodes the specially crafted header, but doesn't sanitize the decoded strings. This concerns the decodeHeader() function in functions/mime.php.
Affected Versions:
<= 1.4.3a
Register Globals:
Register_globals does not have to be on for this issue.
CVE ID(s):
CVE-2004-1036
Patch:
view patch
Credits:
Special thanks go to Joost Pol for notifying us about this issue.
This page last updated:
2006-07-09 15:53:49
© 1999-2010 by The SquirrelMail Project Team