SquirrelMail  
Donations
News
About
Support
Screen shots
Download
Plugins
Documentation
Sponsors
Bounties





Junk Email Filter






Security Notice
Phishing campain
Version 1.4.15
Security Upgrade

Security

Possible XSS in MagicHTML (IE only)

Date:
2006-02-10
Description:
The MagicHTML filter for incoming HTML email did not correctly disregard comments (/* */) inserted in style sheets ("u/* */rl"). It also accepted "u\rl" as "url" in styles. These allow a malicious user to break the privacy of the user by having them request an item from a remote site when reading the mail. This happens only in browsers that parse this invalid style, only one known is Internet Explorer.
Affected Versions:
<= 1.4.5
Register Globals:
Register_globals does not have to be on for this issue.
CVE ID(s):
CVE-2006-0195
Patch:
view patch
Credits:
These issues were discovered by Martijn Brinkers and Scott Hughes.
This page last updated:
2007-07-03 12:59:23
© 1999-2010 by The SquirrelMail Project Team