Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 78116

Summary: mail-client/squirrelmail insecure file inclusion
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: major CC: eradicator
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: C1 [glsa] jaervosz
Package list:
Runtime testing required: ---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-15 11:00:23 UTC
A missing variable initialisation in functions/prefs.php allowed for
potential insecure file inclusions. Only environments where the PHP
setting register_globals is set to On are vulnerable.

Affected versions: SquirrelMail 1.4.3, 1.4.3a, 1.4.4-RC1
Fixed in: SquirrelMail 1.4.4

This vulnerability was discovered by SquirrelMail developer Jimmy

Currently the 1.4.4 release is planned for monday, as there still is
some translation stuff pending.

Here's the fix upstream uses.

Since RH released an advisory for 1.4.3a I guess this problem affects
them at least.



Index: plugin.txt
RCS file: /cvsroot/squirrelmail/squirrelmail/doc/plugin.txt,v
retrieving revision
retrieving revision
diff -u -w -r1.24.2.24 -r1.24.2.25
--- plugin.txt  29 Dec 2004 23:17:11 -0000
+++ plugin.txt  14 Jan 2005 06:15:22 -0000
@@ -288,6 +288,7 @@
   decode_body                    functions/mime.php              hook_func
   generic_header                 functions/page_header.php       do_hook
   menuline                       functions/page_header.php       do_hook
+  prefs_backend                  functions/prefs.php             hook_func
   loading_prefs                  include/load_prefs.php          do_hook
   addrbook_html_search_below     src/addrbook_search_html.php    do_hook
   addressbook_bottom             src/addressbook.php             do_hook

Index: prefs.php
RCS file: /cvsroot/squirrelmail/squirrelmail/functions/prefs.php,v
retrieving revision
retrieving revision
diff -u -w -r1.62.2.6 -r1.62.2.7
--- prefs.php   27 Dec 2004 15:03:46 -0000
+++ prefs.php   14 Jan 2005 06:15:23 -0000
@@ -14,6 +14,7 @@
 /** Include global.php */
 require_once(SM_PATH . 'functions/global.php');
+require_once(SM_PATH . 'functions/plugin.php');
 sqgetGlobalVar('prefs_cache', $prefs_cache, SQ_SESSION );
 sqgetGlobalVar('prefs_are_cached', $prefs_are_cached, SQ_SESSION );
@@ -31,7 +32,8 @@
     $prefs_cache = array();
-if (isset($prefs_backend) && file_exists(SM_PATH . $prefs_backend)) {
+$prefs_backend = do_hook_function('prefs_backend');
+if (isset($prefs_backend) && !empty($prefs_backend) && file_exists(SM_PATH . $prefs_backend)) {
     require_once(SM_PATH . $prefs_backend);
 } elseif (isset($prefs_dsn) && !empty($prefs_dsn)) {
     require_once(SM_PATH . 'functions/db_prefs.php');
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-01-15 12:25:18 UTC
Probably better to wait for the official 1.4.4 on Monday.

Eradicator: if you can't handle it on Monday, please tell us so that we find someone else to do the bump.
Comment 2 Jeremy Huddleston (RETIRED) gentoo-dev 2005-01-16 00:07:04 UTC
I'll take care of it on monday.  should be a simple renaming.
Comment 3 Jeremy Huddleston (RETIRED) gentoo-dev 2005-01-17 16:51:52 UTC
Upstream still hasn't made a release...
Comment 4 Jeremy Huddleston (RETIRED) gentoo-dev 2005-01-18 01:05:03 UTC
Ok, can youu find someone else to bump it for me.  I am going to sleep now, leaving in the morning, and they still haven't made the release.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-01-18 05:57:30 UTC
Apparently this has been delayed until Friday.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-22 00:36:05 UTC
Two more issues:

CAN-2005-0103 for cross site scripting
CAN-2005-0104 for code injection via unsanitised integer variable

Hopefully they will release soon.

Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-22 10:55:45 UTC
1.4.4 released, please bump.
Comment 8 Jeremy Huddleston (RETIRED) gentoo-dev 2005-01-22 13:38:58 UTC
In CVS.  Just need ppc to mark stable.
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-22 13:43:20 UTC
Thx Jeremy.

ppc please mark stable.
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-25 09:31:41 UTC
GLSA drafted. Security please review.

ppc please mark stable asap.
Comment 11 Jochen Maes (RETIRED) gentoo-dev 2005-01-26 13:17:59 UTC
stable on ppc
sorry for the wait
Comment 12 Jochen Maes (RETIRED) gentoo-dev 2005-01-26 13:18:23 UTC
dada ppc
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2005-01-27 06:34:30 UTC
Not yet ppc stable in CVS...
SeJo / ppc-team, please fix your keyword
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2005-01-28 02:51:38 UTC
SeJo markes ppc stable. Ready to send
Comment 15 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-28 07:19:40 UTC
GLSA 200501-39