phatfunkjazz Posted November 14, 2004 Posted November 14, 2004 Squirrelmail has a security patch on its web site, explained here: A small vulnerability exists in the decoding of certain headers which could allow for a remote user to exploit a cross site scripting vulnerability.It comes in the form of a diff file. Since I have limited access to my web server files, can I manually patch the file, by copying and pasting the fixed code in the appropriate file? > } $iLastMatch = $i; $j = $i; - $ret .= $res[1]; + if ($htmlsave) { + $ret .= htmlspecialchars($res[1]); + } else { + $ret .= $res[1]; + } $encoding = ucfirst($res[3]); switch ($encoding) { case 'B': $replace = base64_decode($res[4]); - $ret .= charset_decode($res[2],$replace); + if ($utfencode) { + $replace = charset_decode($res[2],$replace); + } elseif ($htmlsave) { + $replace = htmlspecialchars($replace); + } + $ret .= $replace; break; case 'Q': $replace = str_replace('_', ' ', $res[4]); I'm not a programmer; does the minus symbol - $ret .= $res[1]; at the beginning of the line mean to delete that line, I believe the plus symbol + if ($utfencode) { means to add that line. thanks, Stefan Quote
TCH-Bruce Posted November 14, 2004 Posted November 14, 2004 Sounds correct to me. I'm assuming you have your own copy of Squirrelmail and not the one in cPanel. Moving for oraganization and exposure. Quote
phatfunkjazz Posted November 14, 2004 Author Posted November 14, 2004 Thank you Bruce. I'll give it a try... ...it seems to have worked. Squirrelmail didn't complain when I logged in. Stefan Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.