SquirrelMail "Address Add" Plugin Vulnerable to Cross Site Scripting

Reported September 28, 2005 by Moritz Naumann

VERSIONS AFFECTED


SquirrelMail “Address Add” Plugin, version 1.4 to 2.0


DESCRIPTION

SquirrelMail is a popular cross-platform Web-based email interface. A plug-in for SquirrelMail, Address Add, is vulnerable to cross-site scripting attacks. A successful attack might allow an intruder to obtain a person's cookie and session information.

VENDOR RESPONSE

The plug-in's developer, Jimmy Conner, has released Address Add 2.1, which corrects this problem. Administrators who use the plug-in should upgrade to this version. If an upgrade isn't possible, ensure that users have Javascript disabled in their browsers or that the Address Add plug-in is disabled.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish