Package: squirrelmail Version: 2:1.4.4-1 Tags: security Severity: grave Seems that squirrelmail in unstable is still vulnerable to the cross-site scripting hole CAN-2005-0104. The mail below has some details and a patch against the woody version follows. The CAN-2005-0152 part of the patch is not relevant, but most of the webmail.php patch will apply to the unstable version.
----- Forwarded message from Martin Schulze <[EMAIL PROTECTED]> ----- From: Martin Schulze <[EMAIL PROTECTED]> Date: Wed, 2 Feb 2005 12:29:21 +0100 To: Joey Hess <[EMAIL PROTECTED]> Subject: Re: [SECURITY] [DSA 662-1] New squirrelmail package fixes several vulnerabilities User-Agent: Mutt/1.5.6+20040907i Joey Hess wrote: > Martin Schulze wrote: > > CAN-2005-0104 > > > > Upstream developers noticed that an unsanitised variable could > > lead to cross site scripting. > > The changelog for squirrelmail 2:1.4.4-1 says that the CAN for the XSS > hole is -0103, not -104. Which is wrong, or is this a different hole? It's a different hole. Woody is not vulnerable to 0103 and we thought that it wasn't to 0104 either, but that turned out to be wrong. > Both CANs are still reserved so I can't check. This should help: http://cvs.sf.net/viewcvs.py/squirrelmail/squirrelmail/src/webmail.php?r1=1.92.2.8&r2=1.92.2.6&only_with_tag=SM-1_4-STABLE Use CAN-2005-0103 for cross site scripting and CAN-2005-0104 for code injectian via unsanitised integer variable Regards, Joey -- Still can't talk about what I can't talk about. Sorry. -- Bruce Schneier diff -u squirrelmail-1.2.6/debian/changelog squirrelmail-1.2.6/debian/changelog --- squirrelmail-1.2.6/debian/changelog +++ squirrelmail-1.2.6/debian/changelog @@ -1,3 +1,16 @@ +squirrelmail (1:1.2.6-2) stable-security; urgency=high + + * Security upload + * [CAN-2005-0152] Close security hole where URL-manipulation in combination + with register_globals and allow_url_fopen both set to On could lead to + remote code execution as the www-data user. (Closes: #292714). + This issue is specific to exactly version 1.2.6 of SquirrelMail (older + and newer versions not vulnerable). Thanks Grant Hollingworth for + discovering this bug and notifying us about it. + * [CAN-2005-0104] Fix possible XSS issues in src/webmail.php. + + -- Thijs Kinkhorst <[EMAIL PROTECTED]> Sun, 30 Jan 2005 18:27:25 +0100 + squirrelmail (1:1.2.6-1.4) stable-security; urgency=high * Non-maintainer upload for security issues. Thanks to Thijs Kinkhorst for only in patch2: --- squirrelmail-1.2.6.orig/src/webmail.php +++ squirrelmail-1.2.6/src/webmail.php @@ -85,14 +85,17 @@ if ($right_frame == 'right_main.php') { $urlMailbox = urlencode($mailbox); + $urlSort = urlencode($sort); + $urlStartMessage = urlencode($startMessage); + $right_frame_url = - "right_main.php?mailbox=$urlMailbox&sort=$sort&startMessage=$startMessage"; + "right_main.php?mailbox=$urlMailbox&sort=$urlSort&startMessage=$urlStartMessage"; } elseif ($right_frame == 'options.php') { $right_frame_url = 'options.php'; } elseif ($right_frame == 'folders.php') { $right_frame_url = 'folders.php'; } elseif ($right_frame == 'compose.php') { - $right_frame_url = "compose.php?send_to=$rcptaddress"; + $right_frame_url = "compose.php?send_to=" . urlencode($rcptaddress); } else { $right_frame_url = 'right_main.php'; } ----- End forwarded message ----- -- see shy jo
signature.asc
Description: Digital signature
