SquirrelMail English Site Danish Site French Site Russian Site Japanese Site 
News
About
Support
Screen shots
Download
Plugins
Documentation
Sponsors


search site:
more search

Security

NOTE: If you're looking to contact us regarding spam supposedly sent by SquirrelMail, please read this explanation of why we are not related to this scam.

If you want to contact us regarding your lost password, not being able to login or other problems with your mail account, please go our end user information.

The SquirrelMail Project takes security very seriously. If you think you've discovered a security-related issue in SquirrelMail, please contact us directly at security <at> squirrelmail.org. We will do our best to work with you towards a solution as quickly as possible and will of course give all credit where it's due.

Below you will find a list with known issues in past SquirrelMail versions. A legend of the columns is below the table.

DateIssueVersions AffectedRGCVE id's
2007-12-13 1.4.12 and 1.4.11 Package Compromise 1.4.11&12 0 CVE-2007-6348
2007-05-09 Cross site scripting in HTML filter 1.4.0-1.4.9a 0 CVE-2007-1262, CVE-2007-2589
2006-12-03 Workaround for Internet Explorer MIME handling IE 0  
2006-12-02 Cross site scripting in compose, draft & HTML mail viewing 1.4.0 - 1.4.9 0 CVE-2006-6142
2006-08-11 Variable overwriting in compose.php 1.4.0 - 1.4.7 0 CVE-2006-4019
2006-06-22 Disputed: search.php cross site scripting none 1 CVE-2006-3174
2006-06-01 Local file inclusion <= 1.4.6 1 CVE-2006-2842
2006-02-15 IMAP injection in sqimap_mailbox_select mailbox parameter <= 1.4.5 0 CVE-2006-0377
2006-02-10 Possible XSS in MagicHTML (IE only) <= 1.4.5 0 CVE-2006-0195
2006-02-01 Possible XSS through right_frame parameter in webmail.php <= 1.4.5 0 CVE-2006-0188
2005-07-13 $_POST variable handling in options_identites allows for different attacks <= 1.4.5-RC1 1 CVE-2005-2095
2005-06-15 Several cross site scripting vulnerabilities <= 1.4.4 0 CVE-2005-1769
2005-01-20 XSS vulnerability in webmail.php <= 1.4.4-RC1 0 CVE-2005-0104
2005-01-19 Frame content changing in webmail.php <= 1.4.4-RC1 0 CVE-2005-0103
2005-01-14 Local file inclusions in prefs.php 1.4.3-RC1 - 1.4.4-RC1 1 CVE-2005-0075
2004-11-10 XSS vulnerability in decodeHeader() <= 1.4.3a 0 CVE-2004-1036
2004-05-30 XSS vulnerability in Content-Type display in read_body <= 1.4.3-RC1 0  
2004-05-10 SQL injection vulnerability in addressbook <= 1.4.2 0 CVE-2004-0521
2004-05-01 Multiple XSS vulnerabilities <= 1.4.2 0 CVE-2004-0519, CVE-2004-0520
2004-04-03 XSS vulnerability in incoming email headers <= 1.4.0-RC2a 0  
2004-04-01 XSS vulnerability when replying to malicious sources <= 1.4.0-RC2a 0  

The column RG indicates whether the vulnerability only applies to systems that have the PHP register_globals setting turned On, something that is highly discouraged by both PHP and the SquirrelMail team.

CVE id's are used for cross-referencing security issues between distributions.

This page only lists known issues since the start of the 1.4.0 Stable series.

© 1999-2008 by The SquirrelMail Project Team