Reported September 28, 2005 by Moritz Naumann

VERSIONS AFFECTED


SquirrelMail “Address Add” Plugin, version 1.4 to 2.0


DESCRIPTION

SquirrelMail is a popular cross-platform Web-based email interface. A plug-in for SquirrelMail, Address Add, is vulnerable to cross-site scripting attacks. A successful attack might allow an intruder to obtain a person's cookie and session information.

VENDOR RESPONSE

The plug-in's developer, Jimmy Conner, has released Address Add 2.1, which corrects this problem. Administrators who use the plug-in should upgrade to this version. If an upgrade isn't possible, ensure that users have Javascript disabled in their browsers or that the Address Add plug-in is disabled.