SquirrelMail  
Donations
News
About
Support
Screen shots
Download
Plugins
Documentation
Sponsors
Bounties













Security Notice
Phishing campain
UPDATE YOUR
EMAIL SECURITY
"IUEU"

Security

Cookies for SSL connection could be sent over non-SSL

Date:
2008-09-28
Description:
An issue was fixed that allowed the cookies of a session started
over SSL (https) to be transmitted over HTTP aswell. This affects
installations that offer SquirrelMail both over HTTP and HTTPS.
This is known as setting the "secure" flag of the cookie.

An override option has been added that can be used when you have
a need to continue a session over HTTP that has been started over
HTTPS, although we do not recommend that.
Affected Versions:
1.4.0 - 1.4.15
Register Globals:
Register_globals does not have to be on for this issue.
CVE ID(s):
CVE-2008-3663
Patch:
view patch
Credits:
Thanks Hanno Böck for discovering and alerting us of this issue.
This page last updated:
2008-09-28 16:16:34
© 1999-2010 by The SquirrelMail Project Team