E-mail Security Alerts

This section is for security alerts related to e-mail security. I specifcally will not be covering virus/worm outbreaks, since the major anti-virus vendors already do a pretty good job of that (unless I think I have something useful to add). What I will be posting is vulnerabilities in Open Source and commercial e-mail software, such as MTAs, list managers, etc...

12/04/06
SquirrelMail Multiple Cross Site Scripting and Input Validation Vulnerabilities
CVE id: CVE-2006-6142
bugtraq id: 21414
Summary:
(quote from SecurityFocus)
SquirrelMail is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues could allow an attacker to steal cookie-based authentication credentials and to launch other attacks.

03/15/04
Outlook mailto: URL argument injection vulnerability
CVE id: CAN-2004-0121
bugtraq id: 9827
Summary:
(quoted from BugTraq)
Microsoft Outlook contains a vulnerability which allows execution of arbitrary code when a victim user views a web page or an e-mail message created by an attacker.

02/21/04
Proofpoint Protection Server, remote MySQL root user vulnerability
CVE id:
bugtraq id:
Summary:
(quoted from FullDisclosure)
The MySQL server may be remotely access [sic] by the "root" user without using a password.

02/09/04
GNU Mailman Malformed Message Remote Denial Of Service
CVE id: CAN-2003-0991
bugtraq id: 9620
Summary:
(quoted from SecurityFocus)
It has been reported that GNU Mailman is prone to a denial of service vulnerability. An attacker could send a carefully crafted message that would cause the Mailman process to crash.

02/09/04
ClamAV Daemon Malformed UUEncoded Message Denial Of Service
CVE id:
bugtraq id: 9610
Summary:
(quoted from SecurityFocus)
A problem in the handling of specially crafted UUEncoded messages has been identified in ClamAV. Because of this, an attacker may prevent the delivery of e-mail to users.