Bug 97585 - mail-client/squirrelmail vulnerability in options_identites.php (vendor-sec) (CAN-2005-2095)
|
Bug#:
97585
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: minor
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: jaervosz@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
|
|
Summary: mail-client/squirrelmail vulnerability in options_identites.php (vendor-sec) (CAN-2005-2095)
|
|
Keywords:
|
|
Status Whiteboard: B4 [noglsa] jaervosz
|
|
Opened: 2005-07-01 01:39 0000
|
Hello all,
A new vulnerability has been discovered in SquirrelMail. The file
src/options_identities.php contained some very bad, legacy code: an
extract($_POST) was done, effectively allowing a malicious attacker to
change session variables and even other people's preferences.
It must be noted that for this to happen you need to trick someone into
using an external form to post the information which is not trivial.
Affected versions:
1.4.0 - 1.4.5-RC1
Hello all,
A new vulnerability has been discovered in SquirrelMail. The file
src/options_identities.php contained some very bad, legacy code: an
extract($_POST) was done, effectively allowing a malicious attacker to
change session variables and even other people's preferences.
It must be noted that for this to happen you need to trick someone into
using an external form to post the information which is not trivial.
Affected versions:
1.4.0 - 1.4.5-RC1 (current stable tree)
1.2.8 - 1.2.10 (unsupported old stable tree)
1.5.x CVS (unsupported current development tree)
Not vulnerable:
Everything before 1.2.8.
Our proposed patch is attached; unfortunately we had to rework some
functions to fix them the right way because the previous code really
depended to the extract() call.
We will release 1.4.5 sometime next week with the patch included. Fixes
for unsupported trees will be applied to their CVS branches but no new
releases will be made.
Credits for finding the issue go to James Bercegay of GulfTech Security
Research.
Regards,
Thijs Kinkhorst
SquirrelMail Development Team
Jeremy please advise.
This seems rather hard to exploit. If you want some prerelease testing please
attach an updated ebuild to this bug. Do NOT commit anything to Portage.
Yeah... I tend to agree with Thijs that this is rather difficult to exploit.
Combine that with the extensive nature of the changes here, and I'd prefer to
wait for upstream to finish testing with their 1.4.5 release with the fix next week.
Ok, we'll wait on this one.
Jeremy will you watch upstream for a new release?
1.4.5 will be released on Wednesday, we could just as well decide on GLSA
publication already. I tend to vote NO.
*** Bug 98917 has been marked as a duplicate of this bug. ***
Jeremy : please bump to 1.4.5 final
in portage. ppc needs to mark stable.
Reverting half NO to full NO -> Closing without GLSA.
Thx everyone.
and don't forget to close :)
