In association with heise online

04 December 2008, 17:51

Update for SquirrelMail resolves cross-site scripting vulnerability

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The SquirrelMail developers have released Version 1.4.17 of the webmail application, which fixes a cross-site scripting vulnerability. According to the report, it was possible to use maliciously crafted HTML code in emails to trick the HTML filter into executing JavaScript in the user's browser when opening an email. The option "Show HTML Version by Default" had to be activated to allow this.

The correct matching of alternative identities when replying to messages is mentioned by the developers in the Release Notes as one of the important changes. SquirrelMail will, from now on, only send cookies as HTTPS-only under IIS (Internet Information Servers) when the connection really is secure.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit