[34736] in bugtraq
Re: SquirrelMail Cross Scripting Attacks....
daemon@ATHENA.MIT.EDU (Jonathan Angliss)
Fri Apr 30 17:44:05 2004
Date: Fri, 30 Apr 2004 15:22:47 -0500
From: Jonathan Angliss <jon@squirrelmail.org>
Message-ID: <241565456.20040430152247@netdork.net>
To: Alvin Alex <alvin_gboy@hotmail.com>
Cc: bugtraq@securityfocus.com
In-Reply-To: <20040429210906.31136.qmail@www.securityfocus.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Hello Alvin,
On Thursday, April 29, 2004, Alvin Alex wrote...
> SquirrelMail latest version (although is tested on version 1.4.2) is
> prone to many cross scripting attacks that can be used to steal user
> cookies.
[..]
> Squirrel Mail Coders have been informed of this vulnerability but
> the vulnerability still exists in their latest version.
PLEASE in future notify us before posting bug reports so we can ensure
a fix is in place... The 1.4.3 release which will be out shortly will
fix this issue, along with a number of other XSS issues. While we had
been notified of the issue, we were holding off on announcing the
issue until a fix was in place.
--
Jonathan Angliss
(jon@squirrelmail.org)
