Thijs Kinkhorst | 16 Jun 00:12 2005

[SM-ANNOUNCE] Security: patch fixes SquirrelMail cross site scripting vulnerabilities [CAN-2005-1769]

Dear SquirrelMail users,

Several cross site scripting (XSS) vulnerabilties have been discovered
in SquirrelMail versions 1.4.0 - 1.4.4. These have been addressed in a
patch that can be found at [1]. We advise all our users to apply this
patch. We're also releasing SquirrelMail 1.4.5 release candidate 1
today. We expect version 1.4.5 to be out within two weeks from

The vulnerabilities are in two categories: the majority can be exploited
through URL manipulation, and some by sending a specially crafted email
to a victim. When done very carefully, this can cause the session of the
user to be hijacked.

We know that versions 1.4.0 to 1.4.3a are vulnerable to most of the
issues. The 1.2.x series is not supported anymore; we advise users of
that series to upgrade to 1.4.4 with the patch applied.

Credits: we would like to thank Martijn Brinkers who helped a lot in
finding these vulnerabilities, and Cor Bosman of XS4ALL who helped in
testing the proposed fixes.

If you have any questions or concerns, please turn to the
squirrelmail-users <at> mailinglist or the
#squirrelmail channel on

Safe SquirrelMailing!

The SquirelMail Project Team

(Continue reading)

Konstantin Ryabitsev | 16 Jun 01:50 2005

Re: [SM-ANNOUNCE] Security: patch fixes SquirrelMail cross site scripting vulnerabilities [CAN-2005-1769]

On Thu, 2005-06-16 at 00:12 +0200, Thijs Kinkhorst wrote:
> [1]

RPM packages incorporating this patch have been published on the site
(release identifier 1.4.4-2 or 1.4.4-0.2.7.x). 
Please see to get them and then
apply using "rpm -Uvh".

Kind regards,

Konstantin ("Icon") Ryabitsev
Duke University Physics Sysadmin

SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast.
Jonathan Angliss | 16 Jun 05:25 2005

[SM-ANNOUNCE] SquirrelMail 1.4.5-RC1 Released

Good evening all,

I'm pleased to announce the release of SquirrelMail 1.4.5-RC1.  This
is a long awaited preparation for the final release of 1.4.5 and there
is lots packed into this release.

In This Release
This release contains a large number of bug fixes, a couple of
features enhancements, and a few security fixes.

We'd like to pay special thanks to Martijn Brinkers for assistance in
this release as he reported multiple cross-site scripting (XSS) issues
which are detailed in the security update posted here at the URL

Bug fixes in this release include folder handling, attachment handling
fixes relating to a change in PHP code behaviour, fixes in the Search
pages, and a lot more.

Enhancements in this release include the new font sheets, the ability
to hide the SquirrelMail headers with more private information,
attempts to detect users' language preferences from  browser settings,
and a few more.

Further details on what has been changed can be seen in the ChangeLog.

Reporting Issues
(Continue reading)