197369 – CVE-2006-3174 Squirrelmail XSS flaw

Bug 197369 - CVE-2006-3174 Squirrelmail XSS flaw

Summary: CVE-2006-3174 Squirrelmail XSS flaw

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	squirrelmail
Sub Component:
Version:	5
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	low
Target Milestone:	---
Assignee:	Warren Togami
QA Contact:
Docs Contact:
URL:
Whiteboard:	source=cve,reported=20060622,impact=l...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-06-30 16:47 UTC by Josh Bressers
Modified:	2007-11-30 22:11 UTC (History)
CC List:	1 user (show)
Fixed In Version:	squirrelmail-1.4.7-2.fc5
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-07-10 17:20:31 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Josh Bressers 2006-06-30 16:47:28 UTC

Squirrelmail XSS flaw

A cross site scripting bug was found in the way squirrelmail displays
the "mailbox" parameter when passed to the search.php script.

This issue is only an issue when register_globals is enabled, which is
not suggested under any circumstances.

The original report is here:
http://pridels.blogspot.com/2006/06/squirrelmail-151-xss-vuln.html

The patch is here:
http://squirrelmail.cvs.sourceforge.net/squirrelmail/squirrelmail/src/search.php?r1=1.92.2.15&r2=1.92.2.16


This issue also affects FC4

Comment 1 Warren Togami 2006-07-10 17:20:31 UTC

Pushed in
squirrelmail-1.4.7-2.fc4
squirrelmail-1.4.7-2.fc5

Note You need to log in before you can comment on or make changes to this bug.