In a report via bugtraq on Apr29, many XSS attacks in squirrelmail: http://marc.theaimsgroup.com/?l=bugtraq&m=108334862800260&w=2 (note that Squirrelmail 1.4.3 will fix these and more XSS issues) Affects: 3AS 3ES 3WS
- Fix some XSS issues. (in 1.4.3 RC1) in CVS as: http://marc.theaimsgroup.com/?l=squirrelmail-cvs&m=108232045127038 http://marc.theaimsgroup.com/?l=squirrelmail-cvs&m=108232039707209 http://marc.theaimsgroup.com/?l=squirrelmail-cvs&m=108231961004190 http://marc.theaimsgroup.com/?l=squirrelmail-cvs&m=108231673730889 http://marc.theaimsgroup.com/?l=squirrelmail-cvs&m=108231643021211 - Fixed XSS vulnerability in content-type display in the attachment area of read_body.php discovered by Roman Medina. (since 1.4.3 RC1) http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt http://marc.theaimsgroup.com/?l=squirrelmail-cvs&m=108532891231712 - Unspecified SQL injection attack http://marc.theaimsgroup.com/?l=squirrelmail-devel&m=108424284608500 is actually "SQL injection attack in personal addressbook database class" http://marc.theaimsgroup.com/?l=squirrelmail-cvs&m=108309375029888 Also affects: 3Desktop
To fix this we will upgrade to SquirrelMail version 1.4.3a. Errata in QA.
An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2004-240.html