lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1134258196.20050616092316@netdork.net>
Date: Thu, 16 Jun 2005 09:23:16 -0500
From: Jonathan Angliss <jon@...irrelmail.org>
To: bugtraq@...urityfocus.com
Subject: [SM-ANNOUNCE] Patch fixes SquirrelMail cross site scripting vulnerabilities [CAN-2005-1769]


Hello All,

Several cross site scripting (XSS) vulnerabilties have been discovered
in SquirrelMail versions 1.4.0 - 1.4.4. These have been addressed in a
patch that can be found at [1]. We advise all our users to apply this
patch. We're also releasing SquirrelMail 1.4.5 release candidate 1
today. We expect version 1.4.5 to be out within two weeks from
now.

The vulnerabilities are in two categories: the majority can be exploited
through URL manipulation, and some by sending a specially crafted email
to a victim. When done very carefully, this may allow for an attacker
to hijack the user's session.

We know that versions 1.4.0 to 1.4.3a are vulnerable to most of the
issues. The 1.2.x series is not supported anymore; we advise users of
that series to upgrade to 1.4.4 with the patch applied.

Credits: we would like to thank Martijn Brinkers who helped a lot in
finding these vulnerabilities, and Cor Bosman of XS4ALL who helped in
testing the proposed fixes.

[1] http://www.squirrelmail.org/security/issue/2005-06-15

-- 
Jonathan Angliss
<jon@...irrelmail.org>



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ