Hello Alec, > CVE-2006-3174: "Cross-site scripting (XSS) vulnerability in search.php > in SquirrelMail 1.5.1 and earlier, when register_globals is enabled, > allows remote attackers to inject arbitrary HTML via the mailbox > parameter."
Thank you for your report. Interestingly enough, there has been no contact with the SquirrelMail team about this CVE assignment or this vulnerability and I'm therefore also a bit puzzled as to where it originates. I'll check it out and see whether something needs to be fixed. > this is only a vulnerability when register_globals is on, which is not > the default configuration in Debian. A setup with register_globals set to On when it's not needed is knowingly insecure. Thijs
signature.asc
Description: This is a digitally signed message part
