>> If is an exploit to squirrelmail maybe a simple renaming mailto.php >> mailtonew.php (and edit al references to mailto.php) can solve temporary >> this >> issue. > > What is this mailto.php vulnerability of which I've heard so much in > this thread? Sounds like something rather nasty. I gave you list of vulnerabilities in link to squirrelmail site. CVE-2005-2095, CVE-2006-4019, CVE-2006-6142 removing mailto.php is not about vulnerabilities. This script provides integration with windows "send to -> mail recipient". I've asked to remove it in order to break possible attacks through windows integration with squirrelmail. You said that you don't have it. OK, then follow other suggestions. I've also asked to disable login_auto in order to make sure that users enter their passwords and are not logged in automatically. >From your login page I can say that you are not using complex SquirrelMail modifications and upgrade is possible. You just have to spend some time and port your changes from 1.4.4 to 1.4.10. >> 2.Use the plugin that draw the password in screen, and i dont know if is >> possible disable password field. (if is possible) > > Which plug in is this? This sounds like it could be useful. captcha plugin. http://www.squirrelmail.org/plugin_view.php?id=263 -- Tomas ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
