Oxygen3 24h-365d [SquirrelMail 1.4.9a update fixes multiple vulnerabilities - 12/7/06]
taharka
res00vl8 at alltel.net
Thu Dec 7 16:42:16 UTC 2006
"Opera is where a guy gets stabbed in the
back, and instead of dying, he sings."
Robert Charles Benchley (1889-1945) US humorist
(On December 7, 1732, The Royal Opera House opens in London)
- SquirrelMail 1.4.9a update fixes multiple vulnerabilities -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)
Madrid, December 7, 2006 - Version 1.4.9a of SquirrelMail has been
released, which fixes several cross-site scripting vulnerabilities that
could be exploited to inject code in Web sessions.
The first flaw lies in the webmail.php and compose.php scripts and stems
from incorrect filtering of certain parameters before they are sent to
the client. The second vulnerability affects the magicHTML filter which
filters and cleans up content of HTML messages.
An attacker could inject HTML code or scripts through these
vulnerabilities and run it on the user's mail client.
Versions 1.4.0 to 1.4.9 of SquirrelMail are affected, whereas version
1.4.9a fixes all of these issues. More details in the original advisory,
available at http://squirrelmail.org/security/issue/2006-12-02
(*) SquirrelMail is a PHP-based Web mail system, which supports the IMAP
and SMTP protocols. All pages are displayed with HTML 4.0 to ensure
compatibility with as many browsers as possible.
taharka
Lexington, Kentucky U.S.A.
More information about the fedora-list
mailing list