Bugtraq mailing list archives
Re: SquirrelMail v1.2.9 XSS bugs
From: Jonathan Angliss <ja () certiflexdimension com>
Date: Tue, 3 Dec 2002 12:07:25 -0600
Hello Euronymous, On Monday, December 02, 2002, euronymous wrote...
topic: SquirrelMail v1.2.9 XSS bugs product: SquirrelMail v1.2.9 vendor: www.squirrelmail.org risk: low date: 12/3/2k2 discovered by: euronymous /F0KP /HACKRU Team advisory url: http://f0kp.iplus.ru/bz/008.txt =:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
description ----------- when reading some email you can to insert the scripting code.. read_body.php dont make filtering users input in `mailbox' and `passed_id' variables. btw, today has released v1.2.10. im dont know if this version contains this xss.
[snip] Thank you for pointing this out. We would have been a lot more grateful if you had notified us of this issue prior to releasing the bugtraq posting, and it would have been fixed in our 1.2.10 release, which as you pointed out was released just yesterday. The lack of forward notification is frustrating, and it would have been nice to have heard earlier. Next time any issues such as this arise, please feel free to contact the project administrators/leaders (such as myself), which can all be found listed on http://www.squirrelmail.org/about.php. -- Jonathan Angliss (jon () squirrelmail org)
Current thread:
- SquirrelMail v1.2.9 XSS bugs euronymous (Dec 03)
- Re: SquirrelMail v1.2.9 XSS bugs Jonathan Angliss (Dec 05)