The SquirrelMail Project Team is proud to announce the release of
SquirrelMail 1.4.10. This version is a security release.
This version, 1.4.10 is a maintenance release, addressing
the following problems since 1.4.9a:
=2D Some security fixes (see below)
=2D Small enhancements
=2D A collection of bugfixes and stability enhancements
(see ChangeLog for a full list)
This release addresses security issues found since the release of 1.4.9a:
There's an ongoing battle to further secure the HTML filter against malicio=
HTML mail and the browsers that accept almost any malformed piece of HTML.
This release contains fixes for the following:
=2D HTML attachments containing "data:" URLs;
=2D Internet Explorer in various versions accepts many permutations of HTML
HTML to us-ascii before applying further filters. IE only.
=2D Request forgery through images. It was possible to include "images" in
HTML mails which were in fact GET requests for the compose.php page sendi=
mail. These images are now properly detected, and the compose form will o=
send mail through a POST request.
Thanks to Mikhail Markin, Tomas Kuliavas and Michael Jordon for reporting
(parts of) these issues and working with us to get them resolved.
These are known as CVE-2007-1262. Further details on SquirrelMail=20
vulnerabilities can be found at the following address:
SquirrelMail Project Team