|
Brought to you by:
Suppliers of:
|
|
|
| |
| Secunia Research has discovered a vulnerability in SqWebMail, which can be exploited by malicious people to conduct script insertion attacks. |
| |
Credit:
The information has been provided by Secunia Research.
The original article can be found at: http://secunia.com/secunia_research/2005-44/advisory/
|
| |
Vulnerable Systems:
* SqWebMail version 5.0.4
The vulnerability is caused due to SqWebMail allowing usage of e.g. the "<script>" tag within an HTML comment. This, combined with "Conditional Comments" in Internet Explorer, can be exploited to execute arbitrary script code in a user's browser session in context of a vulnerable site when a malicious email is viewed.
Successful exploitation requires that the user is using Internet Explorer.
Example in an HTML email:
<!--[if IE]>
<script>alert("Vulnerable!");</script>
<![endif]-->
Solution:
The vendor has issued an updated version of SqWebMail, which fixes this vulnerability: http://www.courier-mta.org/?download.php.
Disclosure Timeline:
05/09/2005 - Initial vendor notification
05/09/2005 - Vendor confirms vulnerability and releases a fix
06/09/2005 - Public disclosure
|
|
|
|
|
