Menu
▾
▴
Re: [Ilohamail-testers] cross-site scripting bug
|
From: Ryo C. <ry...@il...> - 2003-12-09 16:56:04
|
AFAIK, this is an issue only if you turn off PHP's magic quotes (which is on by default) _and_ you're using the MySQL backend. If you're concerned, replace include/super2global.inc with the one attached. I haven't tested it on a system with magic quotes off, but it should do the trick. Ryo On 12/9/2003, "Robert Schmidt" <ro...@2b...> wrote: >found this at Secunia Security Advisories: > >Description: >A vulnerability has been reported in IlohaMail, which can be exploited by >malicious people to conduct Cross Site Scripting attacks. > >The problem is that the the "user" parameter isn't properly verified, >allowing malicious people to supply arbitrary HTML and script code. > >The vulnerability has been reported in version 0.8.10-Stable. Other >versions may also be affected. > > >Solution: >Edit the source code to ensure that input is filtered properly. > > >Reported by / credits: >Social-Reasons > > >------------------------------------------------------- >This SF.net email is sponsored by: SF.net Giveback Program. >Does SourceForge.net help you be more productive? Does it >help you create better code? SHARE THE LOVE, and help us help >YOU! Click Here: http://sourceforge.net/donate/ >_______________________________________________ >Ilohamail-testers mailing list >Ilo...@li... >https://lists.sourceforge.net/lists/listinfo/ilohamail-testers |