SquirrelMail 1.4.4 has been released to resolve a number of
security issues disclosed below. It is strongly recommended
that all running SquirrelMail prior to 1.4.4 upgrade to the
latest release.
Remote File Inclusion
Manoel Zaninetti reported an issue in src/webmail.php which
would allow a crafted URL to include a remote web page.
This was assigned CAN-2005-0103 by the Common
Vulnerabilities and Exposures.
Cross Site Scripting Issues
A possible cross site scripting issue exists in
src/webmail.php that is only accessible when the PHP
installation is running with register_globals set to On.
This issue was uncovered internally by the SquirrelMail
Development team. This isssue was assigned CAN-2005-0104 by
the Common Vulnerabilities and Exposures.
A second issue which was resolved in the 1.4.4-rc1 release
was uncovered and assigned CAN-2004-1036 by the Common
Vulnerabilities and Exposures. This issue could allow a
remote user to send a specially crafted header and cause
execution of script (such as javascript) in the client
browser.
Local File Inclusion
A possible local file inclusion issue was uncovered by one
of our developers involving custom preference handlers.
This issue is only active if the PHP installation is running
with register_globals set to On.