Update for SquirrelMail resolves cross-site scripting vulnerability
The SquirrelMail developers have released Version 1.4.17 of the webmail application, which fixes a cross-site scripting vulnerability. According to the report, it was possible to use maliciously crafted HTML code in emails to trick the HTML filter into executing JavaScript in the user's browser when opening an email. The option "Show HTML Version by Default" had to be activated to allow this.
The correct matching of alternative identities when replying to messages is mentioned by the developers in the Release Notes as one of the important changes. SquirrelMail will, from now on, only send cookies as HTTPS-only under IIS (Internet Information Servers) when the connection really is secure.
See also:
- SquirrelMail Malformed HTML Mail Message Script Insertion, report from Ivan Markovic
(djwm)