Re: SquirrelMail v1.2.9 XSS bugs

[Jonathan Angliss <ja () certiflexdimension com>]

Hello Euronymous,
On Monday, December 02, 2002, euronymous wrote...

> topic: SquirrelMail v1.2.9 XSS bugs
> product: SquirrelMail v1.2.9
> vendor: www.squirrelmail.org
> risk: low
> date: 12/3/2k2
> discovered by: euronymous /F0KP /HACKRU Team
> advisory url: http://f0kp.iplus.ru/bz/008.txt 
> =:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=

> description
> -----------
> when reading some email you can to insert the scripting code..
> read_body.php dont make filtering users input in `mailbox' and
> `passed_id' variables. btw, today has released v1.2.10. im dont
> know if this version contains this xss.

[snip]

Thank you for pointing this out. We would have been a lot more
grateful if you had notified us of this issue prior to releasing the
bugtraq posting, and it would have been fixed in our 1.2.10 release,
which as you pointed out was released just yesterday. The lack of
forward notification is frustrating, and it would have been nice to
have heard earlier.

Next time any issues such as this arise, please feel free to contact
the project administrators/leaders (such as myself), which can all be
found listed on http://www.squirrelmail.org/about.php.

-- 
Jonathan Angliss
(jon () squirrelmail org)