You are not logged in.
- Topics: Active | Unanswered
#1 2004-06-05 07:09:30
- kpiche
- Forum Fellow
- From: Ottawa, ON, Canada
- Registered: 2004-03-30
- Posts: 246
- Website
SquirrelMail "Content-Type" XSS vulnerability
An advisory went out on May 30th and can be found here: http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt .
I discovered a new XSS vuln in SquirrelMail which is quite dangerous since it could be exploited simply by sending a specially crafted mail to the victim. The victim only has to read the email in order to trigger the exploit. This bug is present in latest versions (as well as older ones).
Upgrade to 1.4.3 or latest 1.5.1 CVS from after May24th.
Offline
#2 2004-06-07 13:14:27
- farphel
- Forum Fellow
- From: New Hampshire - USA
- Registered: 2003-09-18
- Posts: 250
- Website
Re: SquirrelMail "Content-Type" XSS vulnerability
I've just put a 1.5.1cvs in the 'testing' repo. Make sure to backup your existing squirrelmail dirs/files before trying it out. If I don't hear of any problems within a week, I'll pull it out of testing and move it to extra.
Cheers,
farphel
Follow the link below, sign up, and accept one promotional offer. If I can get five suckers (err... friends) to do this, I'll get a free iPod. Then you too can try to get a free iPod. Thanks! http://www.freeiPods.com/?r=11363142
Offline