A user recently brought to my attention that a cross-site scripting
vulnerability still existed in QmailAdmin for sites using QmailAdmin
version 1.2.3 or earlier, or vpopmail 5.4.9 or earlier. I realized
that I was still running vpopmail 5.4.8 on one of my own servers, and
thought that others might still be running older versions.
So, I'm sending this out as a reminder to everyone. If you're running
old versions, you should upgrade to either vpopmail 5.4.10 or 5.4.13
(which includes a rewritten vdelivermail) and QmailAdmin 1.2.4 (at
least) or 1.2.9 (preferable, has better handling of .qmail files).
I haven't had any reports of the vulnerability being exploited, but it
is theoretically possible when running the old software.
--
Tom Collins - [EMAIL PROTECTED]
QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/
