Vulnerability Note VU#153043

SquirrelMail compose.php script does not adequately validate input thereby allowing arbitrary user to send messages

Original Release date: 30 May 2002 | Last revised: 10 May 2007


Some versions of SquirrelMail do not properly validate input. Attackers can spoof email addresses through this vulnerability.


SquirrelMail is a collection of PHP4 scripts that provides webmail services. Prior to version 1.24, SquirrelMail does not properly validate Universal Resource Identifiers (URI's) and JavaScript code embedded in HTML tags within an email message. These tags are sent by SquirrelMail to the user's web browser, which could make the browser request the embedded URI's or execute the JavaScript code.


An attacker could craft an email message to a SquirrelMail user which, when read by the user, could automatically send email from the user's account to any address of the attacker's choice. This vulnerability could also be used in a cross-site scripting attack to hijack an authenticated user's session.


Upgrade SquirrelMail to version 1.2.4 or later, available from:

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
SquirrelMail Project TeamAffected28 Jan 200230 May 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



Thanks to Tom McAdam for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

  • CVE IDs: CVE-2002-1648
  • Date Public: 24 Jan 2002
  • Date First Published: 30 May 2002
  • Date Last Updated: 10 May 2007
  • Severity Metric: 1.07
  • Document Revision: 12


If you have feedback, comments, or additional information about this vulnerability, please send us email.