Debian Security Advisory
DSA-220-1 squirrelmail -- cross site scripting
- Date Reported:
- 02 Jan 2003
- Affected Packages:
- Security database references:
- In the Bugtraq database (at SecurityFocus): BugTraq ID 6302.
In Mitre's CVE dictionary: CVE-2002-1341.
- More information:
A cross site scripting vulnerability has been discovered in squirrelmail, a feature-rich webmail package written in PHP4. Squirrelmail doesn't sanitize user provided variables in all places, leaving it vulnerable to a cross site scripting attack.
For the current stable distribution (woody) this problem has been fixed in version 1.2.6-1.3. The old stable distribution (potato) is not affected since it doesn't contain a squirrelmail package.
An updated package for the unstable distribution (sid) is expected soon.
We recommend that you upgrade your squirrelmail package.
- Fixed in:
Debian GNU/Linux 3.0 (woody)
- Architecture-independent component:
MD5 checksums of the listed files are available in the original advisory.