Multiple security vulnerabilties exist in SquirrelMail < v 1.2.3 that allow malicious HTML messages to: * send messages appearing to come from the user * run arbitrary javascript Description ----------- The compose.php script allows parameters to be passed as GETs. Therefore including the following in an HTML mail will send a message to xat_private: <img src="compose.php?send_to=xat_private&subject=foo&bar=bar&send=1"> The read_body.php script does not check HTML tags for javascript. A trivial example: <img src="javascript:alert('Oh dear')"> Resolution ---------- Upgrade to version 1.2.3 of SquirrelMail Acknowledgements ---------------- Thanks to for Philippe Mingo for fixing this bug
This archive was generated by hypermail 2b30 : Thu Jan 24 2002 - 16:02:26 PST