mailing list archives
RS-2004-2: "Content-Type" XSS vulnerability affecting other webmail systems
From: Roman Medina-Heigl Hernandez <roman () rs-labs com>
Date: Mon, 05 Jul 2004 20:28:16 +0200
-----BEGIN PGP SIGNED MESSAGE-----
On 29.May.2004, I disclosed an important XSS vulnerability in latest
versions of a well-known webmail: SquirrelMail. Upon publication I
received the notice that other important webmails were also vulnerable
to the same bug. Indeed the same exploits released for SquirrelMail
worked without any changes in these systems. I decided to contact
several other webmail vendors and ask directly to check their software
and confirm or deny the vulnerability.
The purpose of this brief advisory is to provide you with the
collected info in an objective and summarized way.
PS: Sorry for the big delay.
09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
-----END PGP SIGNATURE-----
- RS-2004-2: "Content-Type" XSS vulnerability affecting other webmail systems Roman Medina-Heigl Hernandez (Jul 05)