Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 26 Jul 2018 09:50:57 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: Squirrelmail XSS security fix

Hi,

I recently posted info about several XSS vulns in squirrelmail [1] to
this list.

Given its upstream state I considered forking squirrelmail, though I
reached out to the maintainer and he claims he's still actively working
on it. I sent him a couple of patches, but they're not applied yet.

For now I'm sharing the patches I use on my own installations:
https://github.com/hannob/squirrelpatches

This contains a security fix for the known XSS issues and hopefully a
few more (though I make no claims that this is safe from XSS now, I'd
appreciate if others could check). It also contains patches for PHP
warnings and issues with PHP 7.2.

[1] https://sourceforge.net/p/squirrelmail/bugs/2831/

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ