Some versions of SquirrelMail do not properly validate input. Attackers can spoof email addresses through this vulnerability.
An attacker could craft an email message to a SquirrelMail user which, when read by the user, could automatically send email from the user's account to any address of the attacker's choice. This vulnerability could also be used in a cross-site scripting attack to hijack an authenticated user's session.
Upgrade SquirrelMail to version 1.2.4 or later, available from:
Thanks to Tom McAdam for reporting this vulnerability.
This document was written by Shawn Van Ittersum.
|Date First Published:||2002-05-30|
|Date Last Updated:||2007-05-10 17:06 UTC|