Hello list, thought everyone running Ilohamail frontend might have interest in a copy of this advisory... /thomas.
> > ----- Original Message ----- > From: "Secunia Security Advisories" <[EMAIL PROTECTED]> > Sent: Monday, December 01, 2003 12:05 PM > Subject: [SA10320] IlohaMail Cross-Site Scripting Vulnerability > > > > > > TITLE: > > IlohaMail Cross-Site Scripting Vulnerability > > > > SECUNIA ADVISORY ID: > > SA10320 > > > > VERIFY ADVISORY: > > http://www.secunia.com/advisories/10320/ > > > > CRITICAL: > > Less critical > > > > IMPACT: > > Cross Site Scripting > > > > WHERE: > > From remote > > > > SOFTWARE: > > IlohaMail 0.x > > > > DESCRIPTION: > > A vulnerability has been reported in IlohaMail, which can be > > exploited by malicious people to conduct Cross Site Scripting > > attacks. > > > > The problem is that the the "user" parameter isn't properly verified, > > allowing malicious people to supply arbitrary HTML and script code. > > > > The vulnerability has been reported in version 0.8.10-Stable. Other > > versions may also be affected. > > > > SOLUTION: > > Edit the source code to ensure that input is filtered properly. > > > > REPORTED BY / CREDITS: > > Social-Reasons > > > > ---------------------------------------------------------------------- > > > > About: > > This Advisory was delivered by Secunia as a free service to help > > everybody keeping their systems up to date against the latest > > vulnerabilities. > > > > Subscribe: > > http://www.secunia.com/secunia_security_advisories/ > > > > Definitions: (Criticality, Where etc.) > > http://www.secunia.com/about_secunia_advisories/ > > > > > > Please Note: > > Secunia recommends that you verify all advisories you receive by > > clicking the link. > > Secunia NEVER sends attached files with advisories. > > Secunia does not advise people to install third party patches, only > > use those supplied by the vendor. > > > - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
