CVE-2004-0591

Vulnerability

A cross-site scripting (XSS) vulnerability exists in the print_header_uc function (file folder.c) of SqWebMail versions 4.0.4 and earlier, and possibly 3.x [1], [2]. The function does not properly sanitize output derived from email headers or from messages with a message/delivery-status MIME Content-Type, allowing injection of arbitrary HTML or script [1], [2]. The vulnerable code path is reachable when a user views an email with crafted content [2].

Exploitation

A remote attacker can exploit the flaw by sending a specially crafted email message to the victim's mailbox [2]. Two attack vectors exist: (1) including malicious script in email headers (e.g., `) — this requires that the victim has SqWebMail configured to display full headers (via preferences or the fullheaders CGI variable); (2) setting the MIME Content-Type header to message/delivery-status` with malformed content [2]. No authentication beyond the ability to send email to the target is required; the attacker does not need to be a valid user of the mail server [2].

Impact

If a victim views the malicious message using SqWebMail, the injected script executes in the context of their browser session [1], [3]. This can lead to session information leakage (e.g., cookie theft), modification of the SqWebMail application's behavior, or other actions possible with the victim's privileges [2], [3]. The scope of compromise is limited to the web application's session; no direct server-side access is granted.

Mitigation

The vulnerability is fixed in SqWebMail versions included in Courier 0.45.6.20040618 and later [2], [3]. Users are advised to upgrade to the latest version of Courier, which includes the patched SqWebMail [3]. For Debian GNU/Linux, the fix is included in DSA-533 [4]. No effective workaround is known for unpatched installations [3].