SquirrelMail upstream reports: Ivan Markovic discovered a cross site scripting issue in SquirrelMail. Vulnerable is at least 1.4.16, 15 and probably all earlier 1.4.x versions. It is possible to trigger this by sending a malicious HTML email message to a user who has the Show HTML Version setting turned on.
This issue also affects users that do not have "Show HTML Version by Default" enabled, but select "View" action on specially crafted HTML attachment.
Created attachment 325189 [details] Upstream patch for SquirrelMail 1.4.x
Created attachment 325190 [details] Upstream patch for SquirrelMail 1.5.x
Public now via: http://secunia.com/advisories/32143/ Fixed upstream in 1.4.17 (quoting ReleaseNotes): An issue was fixed that allowed an attacker to send specially- crafted hyperlinks in a message that could execute cross-site scripting (XSS) when the user viewed the message in SquirrelMail. We would like to thank Secunia Research for reporting this issue to us. It is tracked as CVE-2008-2379. Upstream SVN commit, 1.4 branch: http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13338
squirrelmail-1.4.17-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
squirrelmail-1.4.17-2.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
squirrelmail-1.4.17-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
Upstream advisory: http://www.squirrelmail.org/security/issue/2008-12-04
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2009-0010.html Fedora: https://admin.fedoraproject.org/updates/F10/FEDORA-2008-10748 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-10740