| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 16 Jun 2005 09:23:16 -0500 From: Jonathan Angliss <jon@...irrelmail.org> To: bugtraq@...urityfocus.com Subject: [SM-ANNOUNCE] Patch fixes SquirrelMail cross site scripting vulnerabilities [CAN-2005-1769] Hello All, Several cross site scripting (XSS) vulnerabilties have been discovered in SquirrelMail versions 1.4.0 - 1.4.4. These have been addressed in a patch that can be found at [1]. We advise all our users to apply this patch. We're also releasing SquirrelMail 1.4.5 release candidate 1 today. We expect version 1.4.5 to be out within two weeks from now. The vulnerabilities are in two categories: the majority can be exploited through URL manipulation, and some by sending a specially crafted email to a victim. When done very carefully, this may allow for an attacker to hijack the user's session. We know that versions 1.4.0 to 1.4.3a are vulnerable to most of the issues. The 1.2.x series is not supported anymore; we advise users of that series to upgrade to 1.4.4 with the patch applied. Credits: we would like to thank Martijn Brinkers who helped a lot in finding these vulnerabilities, and Cor Bosman of XS4ALL who helped in testing the proposed fixes. [1] http://www.squirrelmail.org/security/issue/2005-06-15 -- Jonathan Angliss <jon@...irrelmail.org>
Powered by blists - more mailing lists