Debian Security Advisory
DSA-1241-1 squirrelmail -- cross-site scripting
- Date Reported:
- 25 Dec 2006
- Affected Packages:
- squirrelmail
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2006-6142.
- More information:
-
Martijn Brinkers discovered cross-site scripting vulnerabilities in the mailto parameter of webmail.php, the session and delete_draft parameters of compose.php and through a shortcoming in the magicHTML filter. An attacker could abuse these to execute malicious JavaScript in the user's webmail session.
Also, a workaround was made for Internet Explorer <= 5: IE will attempt to guess the MIME type of attachments based on content, not the MIME header sent. Attachments could fake to be a 'harmless' JPEG, while they were in fact HTML that Internet Explorer would render.
For the stable distribution (sarge) these problems have been fixed in version 2:1.4.4-10.
For the upcoming stable distribution (etch) these problems have been fixed in version 2:1.4.9a-1.
For the unstable distribution (sid) these problems have been fixed in version 2:1.4.9a-1.
We recommend that you upgrade your squirrelmail package.
- Fixed in:
-
Debian GNU/Linux 3.1 (sarge)
- Source:
- http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.4-10.dsc
- http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.4-10.diff.gz
- http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.4.orig.tar.gz
- http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.4-10.diff.gz
- Architecture-independent component:
- http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.4-10_all.deb
MD5 checksums of the listed files are available in the original advisory.