Thanks Ben, -munir On Monday 01 April 2002 07:43 pm, Ben Lutgens wrote: > Spotted this on bugtraq, attached patch. Enjoy. > > ----- Forwarded message from Konstantin Riabitsev <icon at phy.duke.edu> > ----- > > From: Konstantin Riabitsev <icon at phy.duke.edu> > Date: 31 Mar 2002 16:21:40 -0500 > To: bugtraq at securityfocus.com > Subject: Re: squirrelmail 1.2.5 email user can execute command > > On Wed, 2002-03-27 at 20:16, pokleyzz sakamaniaka wrote: > > email user can append $THEME variable through > > cookies > > This is very obscure and is limited only to valid users within your > squirrelmail application (e.g. the person has to have a valid login in > order to exploit this vulnerability). The problem is fixed in the > current CVS and will be out with Squirrelmail-1.2.6. Here is the fix, > should you want to apply it, or just wait till the next release, since > this is not a high-risk vulnerability. > > Regards, > Konstantin Riabitsev, > Squirrelmail Bugmaster > > ----- End forwarded message -----