Dear Sir,
We have found that the following lines of code from SquirrelMail are
vulnerable to script injection. We have listed them below. If you'd like
more detailed information, please feel welcome to e-mail me. More
importantly, if you intend to patch this vulnerability in the future, please
also reply and let me know. Thanks a lot!
Best regards,
Yao-Wen (Wayne) Huang
Research assistant, Institute of Information Science, Academia Sinica,
Taiwan
Ph.D. candidate, Department of Electrical Engineering, National Taiwan
University
File: squirrelmail-1.4.2\plugins\calendar\event_delete.php
Line: 162, variable: year
echo "<a href=\"day.php?year=$year&month=$month&day=$day\">"
.
_("Day View") . "</a>\n";
} else {
Line 36:
if (isset($_GET['year'])) {
$year = $_GET['year'];
}
elseif (isset($_POST['year'])) {
$year = $_POST['year'];
}
Short description:
Since year came directly from HTTP requests, it can not be used directly to
construct HTML output. Therefore the code is vulnerable to Cross-Site
Scripting, which allows an attacker to inject javascript code into a HTML
page. Since the HTML page is delivered on behalf of the server, the "same
origin policy" is violated. This allows an attacker to steal cookies from
the victim.
-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community? Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
--
squirrelmail-users mailing list
List Address: [EMAIL PROTECTED]
List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
