On Thu, 8 Sep 2005 10:06:53 +0200 Stefan Hornburg <[EMAIL PROTECTED]> wrote:
> package: sqwebmail
> severity: important
> tags: security
>
> Secunia Research has discovered a vulnerability in SqWebMail, which
> can be exploited by malicious people to conduct script insertion
> attacks.
>
> The vulnerability is caused due to SqWebMail allowing usage of e.g.
> the "<script>" tag within an HTML comment. This, combined with
> "Conditional Comments" in Internet Explorer, can be exploited to
> execute arbitrary script code in a user's browser session in context
> of a vulnerable site when a malicious email is viewed.
>
> Successful exploitation requires that the user is using Internet
> Explorer.
>
> Example in an HTML email:
> <!--[if IE]>
> <script>alert("Vulnerable!");</script>
> <![endif]-->
>
> See http://secunia.com/secunia_research/2005-44/advisory/ for more
> information.
Attached is a patch for this and the other XSS vulnerability described in
#327727.
Bye
Racke
--
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team
CAN-2005-2724.patch
Description: Binary data
