Martijn Brinkers discovered cross-site scripting vulnerabilities in the mailto parameter of webmail.php, the session and delete_draft parameters of compose.php and through a shortcoming in the magicHTML filter. An attacker could abuse these to execute malicious JavaScript in the user's webmail session. Also, a workaround was made for Internet Explorer <= 5: IE will attempt to guess the MIME type of attachments based on content, not the MIME header sent. Attachments could fake to be a 'harmless' JPEG, while they were in fact HTML that Internet Explorer would render. For the stable distribution (sarge) these problems have been fixed in version 2:1.4.4-10. For the upcoming stable distribution (etch) these problems have been fixed in version 2:1.4.9a-1. For the unstable distribution (sid) these problems have been fixed in version 2:1.4.9a-1. We recommend that you upgrade your squirrelmail package.
Martijn Brinkers discovered cross-site scripting vulnerabilities in the mailto parameter of webmail.php, the session and delete_draft parameters of compose.php and through a shortcoming in the magicHTML filter. An attacker could abuse these to execute malicious JavaScript in the user's webmail session.
Also, a workaround was made for Internet Explorer <= 5: IE will attempt to guess the MIME type of attachments based on content, not the MIME header sent. Attachments could fake to be a 'harmless' JPEG, while they were in fact HTML that Internet Explorer would render.
For the stable distribution (sarge) these problems have been fixed in version 2:1.4.4-10.
For the upcoming stable distribution (etch) these problems have been fixed in version 2:1.4.9a-1.
For the unstable distribution (sid) these problems have been fixed in version 2:1.4.9a-1.
We recommend that you upgrade your squirrelmail package.
MD5 checksums of the listed files are available in the original advisory.