[31963] in bugtraq
Re: Webmails + Internet Explorer can create unwanted javascript execution
daemon@ATHENA.MIT.EDU (Jedi/Sector One)
Fri Oct 3 16:23:51 2003
Date: Fri, 3 Oct 2003 21:16:34 +0200
From: Jedi/Sector One <j@pureftpd.org>
To: Jason Munro <jason@stdbev.com>
Cc: bugtraq@securityfocus.com
Message-ID: <20031003191656.GA19128@c9x.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <f549c5c12e863df1fca7140e8161a582@stdbev.com>
On Fri, Oct 03, 2003 at 11:56:47AM -0500, Jason Munro wrote:
> While squirrelmail's filter is based on the same engine apparently either
> it's not up to date or the params are not set as tight.
It looks like Squirrelmail 1.4.0 doesn't filter it, while 1.4.2 does.
Upgrading Squirrelmail is not a bad idea anyway, as before version 1.4.1,
external images could be loaded through the "lowsrc" attribute on browsers
that handle it. But this was not a bug in Squirrelmail either, just a
combination to avoid.
