Hello Euronymous, On Monday, December 02, 2002, euronymous wrote... > topic: SquirrelMail v1.2.9 XSS bugs > product: SquirrelMail v1.2.9 > vendor: www.squirrelmail.org > risk: low > date: 12/3/2k2 > discovered by: euronymous /F0KP /HACKRU Team > advisory url: http://f0kp.iplus.ru/bz/008.txt > =:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::= > description > ----------- > when reading some email you can to insert the scripting code.. > read_body.php dont make filtering users input in `mailbox' and > `passed_id' variables. btw, today has released v1.2.10. im dont > know if this version contains this xss. > [snip] Thank you for pointing this out. We would have been a lot more grateful if you had notified us of this issue prior to releasing the bugtraq posting, and it would have been fixed in our 1.2.10 release, which as you pointed out was released just yesterday. The lack of forward notification is frustrating, and it would have been nice to have heard earlier. Next time any issues such as this arise, please feel free to contact the project administrators/leaders (such as myself), which can all be found listed on http://www.squirrelmail.org/about.php. -- Jonathan Angliss (jon@squirrelmail.org)
