Re: [Fwd: VULNERABILITY IN SQUIRREL MAIL!]

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Maybe I am missing something here but to me it looks like we are already 
donig what is required by haveing a configured var which is not writable by 
the httpd that is the path for the copy attachments stuff. Are we saying 
someone can get by this by changing the address in the post? See below from 
the compose.php

      if (!rename($attachfile, $attachment_dir.$localfilename)) {
         if (!copy($attachfile, $attachment_dir.$localfilename)) {
            plain_error_message(_("Could not move/copy file. File not 
attached"), $color);
            $failed = true;