Description of problem: Squirrelmail 1.4.7 was released on July 4th 2006 which contains several fixes: - Security: Possible cookie theft in src/redirect.php if register_globals is enabled, and malicous site is running in same domain. - Fixed that loading the options page always loaded the prefs initial_value on display, instead of the users' value. - Enabled Ukrainian translation after updates by Serhij Dubyk. - Fixed from address in case of MDN receipts (patch from Dimitar Pashev). - Correct variable typo, causing Bogus sequence in FETCH errors (#1460338). - Reduce references header in a smart way to avoid "header too long" errors from SMTP servers in really long threads (#1167754, #1465342). - Undo extra sanitizing in decodeHeader() function (#1460638). - Added workaround for broken OpenBSD 3.8+ setlocale() function (#1427512). - Fixed session lockups on large attachment downloads. - Fixed bug_report plugin connections to mapped and secured IMAP servers. - Fixed possibility to use single quote in provider name (#1475744). - Improved error handling for the help pages. - Added new color themes by Jeremy Landes, Tammi Maggard and Lucas Austin-Howe (#1378332), (#1377567), (#1377529), (#1377528), (#1377527), (#1377526), (#1377525), (#1393188). - Removed invalid $sendmail_path check in configuration utility. - Backported calendar plugin updates from devel branch. Fixed display of multiline events (#1291081) and sanitizing of quotes (#705796). Fixed possible calendar corruption, when events contain special formating characters. Moved html sanitizing from backend functions to display code. Removed direct access to $_GET and $_POST variables and simplified form variable processing. - Fixed some mailbox caching issues, when messages are deleted or moved not in first mailbox page. Fixed use of mailbox cache in right_main.php (#1304408). - Stop URL parsing, if 8bit symbols or HTML entities are detected (#1356798). - Improve recovery when EHLO not supported on legacy SMTP servers (#1031455). - Don't move messages when target mailbox matches source mailbox (#1409453). - Sanitized IMAP folder names in error_message() function and filters plugin. - Take X-Forwarded-Host HTTP header in consideration when constructing base_uri for redirects; reduces problems with transparent proxies (#1488590). - Don't use trailing delimiter when sqimap_mailbox_create() subscribes newly created mailbox. - Undefined variable in src/right_main.php. - Security: Local file inclusion in functions/plugin.php with register_globals enabled, and magic_quotes disabled (reported by Denix Solutions). [CVE-2006-2842] - Add note to conf.pl / config_default.php to warn users that set sensitive passwords in that file to properly secure it. - Prevent modifications in advanced identities, when editing of identities is disabled. - Fix incorrect parsing of From with nested parentheses (#1241506). - Tightened code in search.php for disputed security report. We don't believe this is exploitable, but the code is tightened anyway. [CVE-2006-3174]
Oops, dupe of 200073. The page was not responding and I hit 'Submit' again.
*** This bug has been marked as a duplicate of 200073 ***