Debian Security Advisory

DSA-220-1 squirrelmail -- cross site scripting

Date Reported:

02 Jan 2003

Affected Packages:

squirrelmail

Vulnerable:

Yes

Security database references:

In the Bugtraq database (at SecurityFocus): BugTraq ID 6302.
In Mitre's CVE dictionary: CVE-2002-1341.

More information:

A cross site scripting vulnerability has been discovered in squirrelmail, a feature-rich webmail package written in PHP4. Squirrelmail doesn't sanitize user provided variables in all places, leaving it vulnerable to a cross site scripting attack.

For the current stable distribution (woody) this problem has been fixed in version 1.2.6-1.3. The old stable distribution (potato) is not affected since it doesn't contain a squirrelmail package.

An updated package for the unstable distribution (sid) is expected soon.

We recommend that you upgrade your squirrelmail package.

Fixed in:

Debian GNU/Linux 3.0 (woody)

Source:: http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-1.3.dsc; http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-1.3.diff.gz; http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6.orig.tar.gz
Architecture-independent component:: http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-1.3_all.deb

MD5 checksums of the listed files are available in the original advisory.