l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
September 2: Social gathering
Next Installfest:
TBD
Latest News:
Aug. 18: Discounts to "Velocity" in NY; come to tonight's "Photography" talk
Page last updated:
2003 Oct 05 21:50

The following is an archive of a post made to our 'vox mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
[vox] Semi-OT: SquirrelMail and MSIE,[Fwd: RE: [SM-DEVEL] bugtraq issue.]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[vox] Semi-OT: SquirrelMail and MSIE,[Fwd: RE: [SM-DEVEL] bugtraq issue.]



Hello,

I know several people on this list use SM, but of those people who use SM
(SquirrelMail) I would expect very few use MSIE to browse their SM mail.
As a result, this message is probably a bit off topic, but here goes....

There is apparently an issue with MSIE, JavaScript, and several
WebMail-based packages where there is risk for XSS and end-client
executing JavaScript that is usually filtered out by SM.

A general post was made to BUGTRAQ about this as a risk with various
webmail based systems. It turns out that SquirrelMail is among those that
seemed to have problems with MSIE. (Or should I say that MSIE has a
problem and SM was not writte in such a way to fix some mistakes made by
MS in making MSIE.)

Anyway, a diff patch was published on the SM-Dev list, but it is not
available on their website. (This patch is for 1.4.2.)

-ME


---------------------------- Original Message ----------------------------
Subject: RE: [SM-DEVEL] bugtraq issue.
From:    "p dont think" <pdontthink@angrynerds.com>
Date:    Sat, October 4, 2003 23:44
To:      "'ME'" <dugan@passwall.com>
         squirrelmail-devel@lists.sourceforge.net
--------------------------------------------------------------------------

> Ok. So the questions that would likely be asked by others:
>
> Will this feature addition to cope with a vendor specific addition for
scripting be considered sugnificant enough to push for a new immediate
stable release (1.4.2b, or 1.4.3)?
>
> If not, will an immediate official patch be offered for 1.4.2 as a
temporary measure for SM admins that are afflicted with MSIE users?

Attached is a patch from 1.4.2 to the latest and greatest.  Konstantin rocks.

- paul

Attachment: mime.php.diff.tar.gz
Description: Binary data



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.