Cookies for SSL connection could be sent over non-SSL
- An issue was fixed that allowed the cookies of a session started
over SSL (https) to be transmitted over HTTP aswell. This affects
installations that offer SquirrelMail both over HTTP and HTTPS.
This is known as setting the "secure" flag of the cookie.
An override option has been added that can be used when you have
a need to continue a session over HTTP that has been started over
HTTPS, although we do not recommend that.
- Affected Versions:
- 1.4.0 - 1.4.15
- Register Globals:
- Register_globals does not have to be on for this issue.
- CVE ID(s):
- view patch
- Thanks Hanno Böck for discovering and alerting us of this issue.
- This page last updated:
- 2008-09-28 16:16:34