• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

SquirrelMail Malicious HTML Formatted Email Vulnerability

SquirrelMail is a feature rich webmail program implemented in the PHP4 language. It is available for Linux and Unix based operating systems.

In some versions of SquirrelMail, it is possible to include malicious content in HTML formatted email. Insertion of JavaScript is possible. It is also possible to include relative references to other SquirrelMail scripts, possibly leading to malicious actions being undertaken as the authenticated user.

It has been reported that it is possible to access the compose.php script in this manner, and send new email as the vulnerable user.