SquirrelMail Multiple Cross-Site Scripting and IMAP Injection Vulnerabilities
SquirrelMail is susceptible to multiple cross-site scripting and IMAP-injection vulnerabilities. These issues are due to the application's failure to properly sanitize user-supplied input.
An attacker may leverage any of the cross-site scripting issues to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
An attacker may leverage the IMAP-injection issue to execute arbitrary IMAP commands on the configured IMAP server. This may aid attackers in further attacks as well as allow them to exploit latent vulnerabilities in the IMAP server.
An exploit is not required to carry out these attacks.
The vendor has committed fixes to the SquirrelMail CVS repository. Snapshots of the current development version are available from the vendor. For further information on obtaining fixed versions, contact the vendor.
Version 1.4.6 - CVS
- Security: MagicHTML fix for comments in styles which allowed
for cross site scripting when using Internet Explorer (reported
by Scott Hughes) [CVE-2006-0195].
- Multi-line encoded headers were being deleted (#1394667).
- Security: Prohibit IMAP injection attempts (reported by Vicente
- Handle unsollicited responses inside SORT responses properly.
- Security: Fix possible cross site scripting through the right_main
parameter of webmail.php. This now uses a whitelist of acceptable
- Removed invalid STARTTLS check from configtest.php script.
- Added Georgian language support.
erdicator please provide updated ebuilds, thx
Subject: [SM-ANNOUNCE] SquirrelMail 1.4.6 Released
Date: February 23, 2006 5:01:59 PM EST
It is my proud pleasure to announce the final release of SquirrelMail
This release is very important, and we strongly advise everybody to
update to the latest release.
This version contains a number of security updates that were brought
to our attention via a number of sources.
- In webmail.php, the right_frame parameter was not properly sanitized
to deal with very lenient browsers, which allowed for cross site
scripting or frame replacing. [CVE-2006-0188]
- In the MagicHTML function, some very obscure constructs were
discovered to be exploitable: 'u\rl' was interpreted as 'url' (privacy
concern), and comments could be inside keywords (allows for cross site
scripting). Both only affect Internet Explorer users. Found by Martijn
Brinkers and Scott Hughes. [CVE-2006-0195]
- The function sqimap_mailbox_select did not strip newlines from the
mailbox parameter, and thereby allowed for IMAP command injection.
Found by Vicente Aguilera. [CVE-2006-0377]
Further details on SquirrelMail vulnerabilities can be found at the
We strongly encourage any persons uncovering Security issues to
contact the SquirrelMail team via firstname.lastname@example.org.
In This Release
This release contains mostly bug fixes, including corrections for PHP
behaviour changes in file handling, and some data types. Especially
running SquirrelMail on the most recent PHP versions should be much
For further information about the changes involved in this release,
please see the ChangeLog and ReleaseNotes files included with the
The latest release can be downloaded from the SquirrelMail website at
The SquirrelMail development Team
*** Bug 123863 has been marked as a duplicate of this bug. ***
*** Bug 123893 has been marked as a duplicate of this bug. ***
net-mail, eradicator: please bump to 1.4.6
*** Bug 124162 has been marked as a duplicate of this bug. ***
eradicator ( primary maintainer ) is not listed in dev.g.o/devaway, so I will wait for another day or two.
It's in portage. alpha, ppc, and x86 need to mark stable.
Looks like you forgot to commit ...
It's in portage: alpha,ppc,x86 please test and mark 1.4.6 stable
x86 and alpha, could you please test and mark stable or are there any problems?
Done for alpha and x86, sorry for the delay.