SquirrelMail  
Donations
News
About
Support
Screen shots
Download
Plugins
Documentation
Sponsors
Bounties













Security Notice
Phishing campain
Version 1.4.15
Security Upgrade

Security

Cross site scripting in compose, draft & HTML mail viewing

Date:
2006-12-02
Description:
Cross site scripting via malicious input the mailto parameter of webmail.php, the session and delete_draft parameters of compose.php. This has been addressed in 1.4.9.

Cross site scripting via a shortcoming in the magicHTML filter. This has been addressed in 1.4.9 and improved in 1.4.9a.
Affected Versions:
1.4.0 - 1.4.9
Register Globals:
Register_globals does not have to be on for this issue.
CVE ID(s):
CVE-2006-6142
Patch:
view patch
Credits:
Thanks go to Martijn Brinkers for his continuous research that uncovered these problems.
This page last updated:
2006-12-04 09:30:18
© 1999-2010 by The SquirrelMail Project Team