It is my proud pleasure to announce the final release of SquirrelMail
This release is very important, and we strongly advise everybody to
update to the latest release.
This version contains a number of security updates that were brought
to our attention via a number of sources.
- In webmail.php, the right_frame parameter was not properly sanitized
to deal with very lenient browsers, which allowed for cross site
scripting or frame replacing. [CVE-2006-0188]
- In the MagicHTML function, some very obscure constructs were
discovered to be exploitable: 'u\rl' was interpreted as 'url' (privacy
concern), and comments could be inside keywords (allows for cross site
scripting). Both only affect Internet Explorer users. Found by Martijn
Brinkers and Scott Hughes. [CVE-2006-0195]
- The function sqimap_mailbox_select did not strip newlines from the
mailbox parameter, and thereby allowed for IMAP command injection.
Found by Vicente Aguilera. [CVE-2006-0377]
Further details on SquirrelMail vulnerabilities can be found at the
We strongly encourage any persons uncovering Security issues to
contact the SquirrelMail team via security@...
In This Release
This release contains mostly bug fixes, including corrections for PHP
behaviour changes in file handling, and some data types. Especially
running SquirrelMail on the most recent PHP versions should be much
For further information about the changes involved in this release,
please see the ChangeLog and ReleaseNotes files included with the
The latest release can be downloaded from the SquirrelMail website at
The SquirrelMail development Team