Dear SquirrelMail users,
Several cross site scripting (XSS) vulnerabilties have been discovered
in SquirrelMail versions 1.4.0 - 1.4.4. These have been addressed in a
patch that can be found at . We advise all our users to apply this
patch. We're also releasing SquirrelMail 1.4.5 release candidate 1
today. We expect version 1.4.5 to be out within two weeks from
The vulnerabilities are in two categories: the majority can be exploited
through URL manipulation, and some by sending a specially crafted email
to a victim. When done very carefully, this can cause the session of the
user to be hijacked.
We know that versions 1.4.0 to 1.4.3a are vulnerable to most of the
issues. The 1.2.x series is not supported anymore; we advise users of
that series to upgrade to 1.4.4 with the patch applied.
Credits: we would like to thank Martijn Brinkers who helped a lot in
finding these vulnerabilities, and Cor Bosman of XS4ALL who helped in
testing the proposed fixes.
If you have any questions or concerns, please turn to the
squirrelmail-users@... mailinglist or the
#squirrelmail channel on irc.freenode.net.
The SquirelMail Project Team