Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 95937

Summary: mail-client/squirrelmail: XSS issues (CAN-2005-1769)
Product: Gentoo Security Reporter: Thierry Carrez (RETIRED) <koon>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: eradicator, gentoo, net-mail+disabled, rajiv
Priority: High    
Version: unspecified   
Hardware: All   
OS: Other   
URL: http://prdownloads.sourceforge.net/squirrelmail/sqm-144-xss.patch
Whiteboard: B4 [glsa] jaervosz
Package list:
Runtime testing required: ---
Attachments:
Description Flags
sqm-144-xss.patch
none
sqm-144-xss.patch
none
sqm-144-xss.patch none

Description Thierry Carrez (RETIRED) gentoo-dev 2005-06-13 02:05:05 UTC
Martijn Brinkers discovered that Squirrelmail contains several cross site scripting attacks, most by URL manipulation, and some by sending a specially crafted HTML email.

This will be made public on Wednesday, June 15th 2005
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-06-13 02:05:55 UTC
Created attachment 61134 [details, diff]
sqm-144-xss.patch

Tentative patch from upstream, applies on 1.4.4-release
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-06-13 02:08:29 UTC
Cc-ing eradicator so that he gets ready to patch on disclosure date.
eradicator: please do not commit anything in Portage until this is made public.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-06-14 01:52:48 UTC
Created attachment 61189 [details, diff]
sqm-144-xss.patch

New patch version from Squirrelmail team
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-06-14 21:11:54 UTC
Created attachment 61245 [details, diff]
sqm-144-xss.patch

Updated patch.
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-06-15 21:58:06 UTC
Now public -> opening. 
 
Eradicator please bump. 
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-06-15 21:59:09 UTC
*** Bug 96223 has been marked as a duplicate of this bug. ***
Comment 7 Jakub Moc (RETIRED) gentoo-dev 2005-06-16 01:04:30 UTC
The patch breaks addressbook for me:

 PHP Parse error:  parse error, unexpected '=' in /webmail/src/addressbook.php
on line 346
Comment 8 Jakub Moc (RETIRED) gentoo-dev 2005-06-16 01:12:52 UTC
(In reply to comment #7)

This works:

@@ -343,6 +343,7 @@
     /* Get and sort address list */
     $alist = $abook->list_addr();
     if(!is_array($alist)) {
+        $abook_error = htmlspecialchars($abook_error);
         plain_error_message($abook->error, $color);
         exit;
     }

Note the underscore instead of a dash.
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-06-16 10:09:57 UTC
Adding the net-mail herd.

eradicator/net-mail : please bump (see comment #8)
Comment 10 Tuan Van (RETIRED) gentoo-dev 2005-06-18 08:27:41 UTC
eradicator is away. Acting on behalf of net-mail herd, bumped with patch from
http://prdownloads.sourceforge.net/squirrelmail/sqm-144-xss.patch which fixed
the line mentioned in comment #8. All keywords dropped to ~arch.
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-06-18 08:38:00 UTC
Thx Tuan, I informed upstream about the problem a few days ago. Now back to 
stable marking. 
Comment 12 Jason Wever (RETIRED) gentoo-dev 2005-06-18 12:47:59 UTC
Stable on SPARC.
Comment 13 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-06-18 13:12:22 UTC
Stable on ppc.
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-06-19 01:35:17 UTC
Almost ready for GLSA decision, I vote YES. 
Comment 15 Simon Stelling (RETIRED) gentoo-dev 2005-06-19 02:24:26 UTC
stable on amd64:

squirrelmail-1.4.4-r1.ebuild
39c39
< KEYWORDS="~alpha ~amd64 ppc sparc ~x86"
---
> KEYWORDS="~alpha amd64 ppc sparc ~x86"

note that x86 is still testing
Comment 16 Tuan Van (RETIRED) gentoo-dev 2005-06-19 11:24:45 UTC
stable on x86.
Comment 17 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-06-19 12:01:55 UTC
This one is ready for GLSA decision. 
Comment 18 Thierry Carrez (RETIRED) gentoo-dev 2005-06-19 12:06:27 UTC
I vote YES too.
Comment 19 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-06-21 13:45:44 UTC
GLSA 200506-19 
Comment 20 Tuan Van (RETIRED) gentoo-dev 2005-06-22 16:23:09 UTC
*** Bug 96795 has been marked as a duplicate of this bug. ***