package: sqwebmail
severity: important
tags: security
Secunia Research has discovered a vulnerability in SqWebMail, which
can be exploited by malicious people to conduct script insertion
attacks.
The vulnerability is caused due to SqWebMail allowing usage of e.g.
the "<script>" tag within an HTML comment. This, combined with
"Conditional Comments" in Internet Explorer, can be exploited to
execute arbitrary script code in a user's browser session in context
of a vulnerable site when a malicious email is viewed.
Successful exploitation requires that the user is using Internet
Explorer.
Example in an HTML email:
<!--[if IE]>
<script>alert("Vulnerable!");</script>
<![endif]-->
See http://secunia.com/secunia_research/2005-44/advisory/ for more information.
--
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
