First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 123781
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Rajiv Aaron Manglani <rajiv@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 123781 depends on: Show dependency tree
Bug 123781 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-02-22 20:40 0000 
http://www.securityfocus.com/bid/16756/discuss

SquirrelMail Multiple Cross-Site Scripting and IMAP Injection Vulnerabilities

SquirrelMail is susceptible to multiple cross-site scripting and IMAP-injection
vulnerabilities. These issues are due to the application's failure to properly
sanitize user-supplied input.

An attacker may leverage any of the cross-site scripting issues to have
arbitrary script code executed in the browser of an unsuspecting user in the
context of the affected site. This may facilitate the theft of cookie-based
authentication credentials as well as other attacks.

An attacker may leverage the IMAP-injection issue to execute arbitrary IMAP
commands on the configured IMAP server. This may aid attackers in further
attacks as well as allow them to exploit latent vulnerabilities in the IMAP
server.

An exploit is not required to carry out these attacks.

Solution:
The vendor has committed fixes to the SquirrelMail CVS repository. Snapshots of
the current development version are available from the vendor. For further
information on obtaining fixed versions, contact the vendor.


http://www.squirrelmail.org/changelog.php says:

Version 1.4.6 - CVS
-------------------
  - Security: MagicHTML fix for comments in styles which allowed
    for cross site scripting when using Internet Explorer (reported
    by Scott Hughes) [CVE-2006-0195].
  - Multi-line encoded headers were being deleted (#1394667).
  - Security: Prohibit IMAP injection attempts (reported by Vicente
    Aguilera) [CVE-2006-0377].
  - Handle unsollicited responses inside SORT responses properly.
  - Security: Fix possible cross site scripting through the right_main
    parameter of webmail.php. This now uses a whitelist of acceptable
    values. [CVE-2006-0188]
  - Removed invalid STARTTLS check from configtest.php script.
  - Added Georgian language support.

------- Comment #1 From Stefan Cornelius (RETIRED) 2006-02-22 20:50:46 0000 ------- 
erdicator please provide updated ebuilds, thx

------- Comment #2 From Rajiv Aaron Manglani 2006-02-23 14:07:40 0000 ------- 
        From:     kink@squirrelmail.org
        Subject:        [SM-ANNOUNCE] SquirrelMail 1.4.6 Released
        Date:   February 23, 2006 5:01:59 PM EST
        To:       squirrelmail-announce@lists.sourceforge.net

Hello All,

It is my proud pleasure to announce the final release of SquirrelMail
1.4.6.

This release is very important, and we strongly advise everybody to
update to the latest release.

Security Update
===============
This version contains a number of security updates that were brought
to our attention via a number of sources.

- In webmail.php, the right_frame parameter was not properly sanitized
  to deal with very lenient browsers, which allowed for cross site
  scripting or frame replacing. [CVE-2006-0188]

- In the MagicHTML function, some very obscure constructs were
  discovered to be exploitable: 'u\rl' was interpreted as 'url' (privacy
  concern), and comments could be inside keywords (allows for cross site
  scripting). Both only affect Internet Explorer users. Found by Martijn
  Brinkers and Scott Hughes. [CVE-2006-0195]

- The function sqimap_mailbox_select did not strip newlines from the
  mailbox parameter, and thereby allowed for IMAP command injection.
  Found by Vicente Aguilera. [CVE-2006-0377]

Further details on SquirrelMail vulnerabilities can be found at the
following address:

  http://www.squirrelmail.org/security/

We strongly encourage any persons uncovering Security issues to
contact the SquirrelMail team via security@squirrelmail.org.


In This Release
===============
This release contains mostly bug fixes, including corrections for PHP
behaviour changes in file handling, and some data types. Especially
running SquirrelMail on the most recent PHP versions should be much
improved.

For further information about the changes involved in this release,
please see the ChangeLog and ReleaseNotes files included with the
release.


The latest release can be downloaded from the SquirrelMail website at
http://www.squirrelmail.org/download.php

Happy SquirrelMailing
The SquirrelMail development Team

------- Comment #3 From Jakub Moc (RETIRED) 2006-02-23 14:47:00 0000 ------- 
*** Bug 123863 has been marked as a duplicate of this bug. ***

------- Comment #4 From Evildad 2006-02-23 23:51:23 0000 ------- 
*** Bug 123893 has been marked as a duplicate of this bug. ***

------- Comment #5 From Thierry Carrez (RETIRED) 2006-02-26 03:45:10 0000 ------- 
net-mail, eradicator: please bump to 1.4.6

------- Comment #6 From Jakub Moc (RETIRED) 2006-02-26 05:19:30 0000 ------- 
*** Bug 124162 has been marked as a duplicate of this bug. ***

------- Comment #7 From Tuan Van (RETIRED) 2006-02-26 12:02:19 0000 ------- 
eradicator ( primary maintainer ) is not listed in dev.g.o/devaway, so I will
wait for another day or two.

------- Comment #8 From Jeremy Huddleston (RETIRED) 2006-02-27 10:56:28 0000 ------- 
It's in portage.  alpha, ppc, and x86 need to mark stable.

------- Comment #9 From Tobias Scherbaum 2006-02-27 12:11:48 0000 ------- 
Looks like you forgot to commit ...

------- Comment #10 From Thierry Carrez (RETIRED) 2006-03-04 08:22:20 0000 ------- 
It's in portage: alpha,ppc,x86 please test and mark 1.4.6 stable

------- Comment #11 From Tobias Scherbaum 2006-03-05 07:12:03 0000 ------- 
ppc stable

------- Comment #12 From Stefan Cornelius (RETIRED) 2006-03-08 17:09:18 0000 ------- 
x86 and alpha, could you please test and mark stable or are there any problems?

------- Comment #13 From Fernando J. Pereda (RETIRED) 2006-03-09 13:06:17 0000 ------- 
Done for alpha and x86, sorry for the delay.

------- Comment #14 From Stefan Cornelius (RETIRED) 2006-03-12 07:07:43 0000 ------- 
GLSA 200603-09

Thanks everybody.
First Last Prev Next    No search results available      Search page      Enter new bug