http://qmailadmin.sf.net/
Release Notes:
Due to the widespread changes, this release should not be used for production systems until it has been more thoroughly tested.
The most significant change relates to how QmailAdmin inserts certain
strings into the pages it generates. It will now properly escape strings
so it is impossible to embed HTML tags in user-supplied data. This
prevents cross site scripting attacks.
It also properly encodes these strings when inserting them as "GET" parameters to further qmailadmin calls. This solves problems related to working with email addresses containing characters such as "+" and "&".
In the process of making the changes, some possible buffer overflows were fixed, and we fixed a bug in the routine that extracts form values from posted data.
ChangeLog:
Tom Collins - Modify contrib/alias2forward.pl to work with '/Maildir' or '/.maildir' directory names. - Add #define to qmailadmin.h for globally setting Maildir directory name (defaults to "/Maildir" but Gentoo can use ".maildir"). - Better detect .qmail-alias files that are tied to mailing lists. (Aliases that end in "-owner" but aren't tied to ezmlm lists will now display properly.) - Add printh.c, new routines for generating HTML-safe and CGI-safe strings. - Convert sprintf calls to snprintf to avoid buffer overflow. - Changes to almost all .c and .html files to make use of printh routines. QmailAdmin should now properly handle email addresses that contain special characters (like '+' and '&'), including domain admin addresses. It now also escapes user-supplied text to avoid possible HTML-insertion and cross site scripting attacks.
