| VID |
21246 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The SquirrelMail package installed on the Web server is vulnerable to a cross-site scripting attack(2). SquirrelMail is a webmail package written in PHP. A cross-site scripting (XSS) vulnerability in Squirrelmail version 1.2.10 and earlier allows remote attackers to execute script as other web users via read_body.php.
The read_body.php script didn't filter out user-supplied input for 'filter_dir' and 'mailbox', making it prone to cross site scripting attacks. An attacker may be able to exploit this vulnerability to execute embedded script code in an HTML email that is read by a vulnerable client.
* References:
http://marc.theaimsgroup.com/?l=bugtraq&m=103893844126484&w=2
http://marc.theaimsgroup.com/?l=bugtraq&m=103911130503272&w=2
http://marc.theaimsgroup.com/?l=bugtraq&m=104004924002662&w=2
* Affected Software:
SquirrelMail 1.2.10 and earlier |
| Recommendation |
Although upgrades for this flaw was released, but recently another security problems have been found. Upgrade to the latest version of SquirrelMail (1.4.0 or later), available from the official web site of SquirrelMail packages at http://www.squirrelmail.org/ |
| Related URL |
CVE-2002-1341 (CVE) |
| Related URL |
6302 (SecurityFocus) |
| Related URL |
(ISS) |
|
