A user recently brought to my attention that a cross-site scripting vulnerability still existed in QmailAdmin for sites using QmailAdmin version 1.2.3 or earlier, or vpopmail 5.4.9 or earlier. I realized that I was still running vpopmail 5.4.8 on one of my own servers, and thought that others might still be running older versions.

So, I'm sending this out as a reminder to everyone. If you're running old versions, you should upgrade to either vpopmail 5.4.10 or 5.4.13 (which includes a rewritten vdelivermail) and QmailAdmin 1.2.4 (at least) or 1.2.9 (preferable, has better handling of .qmail files).

I haven't had any reports of the vulnerability being exploited, but it is theoretically possible when running the old software.

Tom Collins  -  [EMAIL PROTECTED]
QmailAdmin: http://qmailadmin.sf.net/  Vpopmail: http://vpopmail.sf.net/

Reply via email to