>> SquirrelMail Multiple Cross Site Scripting and IMAP Injection Vulnerabilities
Title : SquirrelMail Multiple Cross Site Scripting and IMAP Injection Vulnerabilities VUPEN ID : VUPEN/ADV-2006-0689 CVE ID : CVE-2006-0188 - CVE-2006-0195 - CVE-2006-0377
Rated as : Moderate Risk
Remotely Exploitable : Yes Locally Exploitable : Yes Release Date : 2006-02-22
Technical Description
Multiple vulnerabilities have been identified in SquirrelMail, which may be exploited by attackers to inject and execute arbitrary commands.
The first issue is due to an input validation error in the "webmail.php" script that does not properly validate the "right_main" parameter, which could be exploited by attackers to cause malicious scripting code to be executed by the user's browser in the security context of an affected Web site.
The second flaw is due to an input validation error when handling comments in styles, which could be exploited by malicious people to conduct cross site scripting attacks.
The third flaw is due to an input validation error when processing the "sqimap_mailbox_select mailbox" parameter, which could be exploited by attackers to inject arbitrary IMAP commands.
