Debian Security Advisory

DSA-220-1 squirrelmail -- cross site scripting

Date Reported:
02 Jan 2003
Affected Packages:
Security database references:
In the Bugtraq database (at SecurityFocus): BugTraq ID 6302.
In Mitre's CVE dictionary: CVE-2002-1341.
More information:

A cross site scripting vulnerability has been discovered in squirrelmail, a feature-rich webmail package written in PHP4. Squirrelmail doesn't sanitize user provided variables in all places, leaving it vulnerable to a cross site scripting attack.

For the current stable distribution (woody) this problem has been fixed in version 1.2.6-1.3. The old stable distribution (potato) is not affected since it doesn't contain a squirrelmail package.

An updated package for the unstable distribution (sid) is expected soon.

We recommend that you upgrade your squirrelmail package.

Fixed in:

Debian GNU/Linux 3.0 (woody)

Architecture-independent component:

MD5 checksums of the listed files are available in the original advisory.