Several XSS vulnerabilities removed from Squirrelmail
Close on the heels of the December 2 release of stable version 1.4.9 of Squirrelmail, a web mail client, its developers have already had to push out 1.4.9a to close a Cross Site Scripting hole (XSS). The bug advisory notes that it was possible to execute XSS attacks by using specially prepared content in the mailto parameter in webmail.php and the session and delete_draft parameters in compose.php. The magicHTML filter could also be abused for those purposes.
The processing of mail attachments has also been adjusted to reflect security concerns. Prior to the fix it was possible to falsify an attachment's MIME type, which could lead to problems specific to Internet Explorer. Microsoft's browser attempts to use the MIME type to surmise the type of content, ignoring the types indicated by the server. This could lead the browser to interpret a file as a harmless image, even if in reality it contained HTML code for the browser to execute. The flaw is contained in Internet Explorer 6 and in version 7.
- Cross site scripting in compose, draft & HTML mail viewing, bug advisory from Squirrelmail
- Workaround for Internet Explorer MIME handling, bug report from Squirrelmail
(trk)