Package: squirrelmail Severity: important Tags: security -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
CVE-2006-3174: "Cross-site scripting (XSS) vulnerability in search.php in SquirrelMail 1.5.1 and earlier, when register_globals is enabled, allows remote attackers to inject arbitrary HTML via the mailbox parameter." The description from the information linked in the CVE: "SquirrelMail contains a flaw that allows a remote Cross-Site Scripting attacks.Input passed to the "mailbox" parameter in "search.php" isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site." There does not appear to be a patch available. However, the CVE notes this is only a vulnerability when register_globals is on, which is not the default configuration in Debian. I have not confirmed this vulnerability myself. Please include the CVE in the changelog. Thanks, Alec -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEodt2Aud/2YgchcQRAikLAKDcYBvJyaL6DOxjE7s08Jpf+okwEACg42TF HHJ13PqZW6PBsw2JApsjJU0= =gb/b -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
