Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 123781 - mail-client/squirrelmail XSS, IMAP vulnerabilties in < 1.4.6-CVS
Summary: mail-client/squirrelmail XSS, IMAP vulnerabilties in < 1.4.6-CVS
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Other
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa] DerCorny
Keywords:
: 123863 123893 124162 (view as bug list)
Depends on:
Blocks:
 
Reported: 2006-02-22 20:40 UTC by Rajiv Aaron Manglani (RETIRED)
Modified: 2006-03-12 07:07 UTC (History)
8 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Rajiv Aaron Manglani (RETIRED) gentoo-dev 2006-02-22 20:40:05 UTC
http://www.securityfocus.com/bid/16756/discuss

SquirrelMail Multiple Cross-Site Scripting and IMAP Injection Vulnerabilities

SquirrelMail is susceptible to multiple cross-site scripting and IMAP-injection vulnerabilities. These issues are due to the application's failure to properly sanitize user-supplied input.

An attacker may leverage any of the cross-site scripting issues to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.

An attacker may leverage the IMAP-injection issue to execute arbitrary IMAP commands on the configured IMAP server. This may aid attackers in further attacks as well as allow them to exploit latent vulnerabilities in the IMAP server.

An exploit is not required to carry out these attacks.

Solution:
The vendor has committed fixes to the SquirrelMail CVS repository. Snapshots of the current development version are available from the vendor. For further information on obtaining fixed versions, contact the vendor.


http://www.squirrelmail.org/changelog.php says:

Version 1.4.6 - CVS
-------------------
  - Security: MagicHTML fix for comments in styles which allowed
    for cross site scripting when using Internet Explorer (reported
    by Scott Hughes) [CVE-2006-0195].
  - Multi-line encoded headers were being deleted (#1394667).
  - Security: Prohibit IMAP injection attempts (reported by Vicente
    Aguilera) [CVE-2006-0377].
  - Handle unsollicited responses inside SORT responses properly.
  - Security: Fix possible cross site scripting through the right_main
    parameter of webmail.php. This now uses a whitelist of acceptable
    values. [CVE-2006-0188]
  - Removed invalid STARTTLS check from configtest.php script.
  - Added Georgian language support.
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2006-02-22 20:50:46 UTC
erdicator please provide updated ebuilds, thx
Comment 2 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2006-02-23 14:07:40 UTC
	From: 	  kink@squirrelmail.org
	Subject: 	[SM-ANNOUNCE] SquirrelMail 1.4.6 Released
	Date: 	February 23, 2006 5:01:59 PM EST
	To: 	  squirrelmail-announce@lists.sourceforge.net

Hello All,

It is my proud pleasure to announce the final release of SquirrelMail
1.4.6.

This release is very important, and we strongly advise everybody to
update to the latest release.

Security Update
===============
This version contains a number of security updates that were brought
to our attention via a number of sources.

- In webmail.php, the right_frame parameter was not properly sanitized
  to deal with very lenient browsers, which allowed for cross site
  scripting or frame replacing. [CVE-2006-0188]

- In the MagicHTML function, some very obscure constructs were
  discovered to be exploitable: 'u\rl' was interpreted as 'url' (privacy
  concern), and comments could be inside keywords (allows for cross site
  scripting). Both only affect Internet Explorer users. Found by Martijn
  Brinkers and Scott Hughes. [CVE-2006-0195]

- The function sqimap_mailbox_select did not strip newlines from the
  mailbox parameter, and thereby allowed for IMAP command injection.
  Found by Vicente Aguilera. [CVE-2006-0377]

Further details on SquirrelMail vulnerabilities can be found at the
following address:

  http://www.squirrelmail.org/security/

We strongly encourage any persons uncovering Security issues to
contact the SquirrelMail team via security@squirrelmail.org.


In This Release
===============
This release contains mostly bug fixes, including corrections for PHP
behaviour changes in file handling, and some data types. Especially
running SquirrelMail on the most recent PHP versions should be much
improved.

For further information about the changes involved in this release,
please see the ChangeLog and ReleaseNotes files included with the
release.


The latest release can be downloaded from the SquirrelMail website at
http://www.squirrelmail.org/download.php

Happy SquirrelMailing
The SquirrelMail development Team
Comment 3 Jakub Moc (RETIRED) gentoo-dev 2006-02-23 14:47:00 UTC
*** Bug 123863 has been marked as a duplicate of this bug. ***
Comment 4 Evildad 2006-02-23 23:51:23 UTC
*** Bug 123893 has been marked as a duplicate of this bug. ***
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2006-02-26 03:45:10 UTC
net-mail, eradicator: please bump to 1.4.6
Comment 6 Jakub Moc (RETIRED) gentoo-dev 2006-02-26 05:19:30 UTC
*** Bug 124162 has been marked as a duplicate of this bug. ***
Comment 7 Tuan Van (RETIRED) gentoo-dev 2006-02-26 12:02:19 UTC
eradicator ( primary maintainer ) is not listed in dev.g.o/devaway, so I will wait for another day or two.
Comment 8 Jeremy Huddleston (RETIRED) gentoo-dev 2006-02-27 10:56:28 UTC
It's in portage.  alpha, ppc, and x86 need to mark stable.
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2006-02-27 12:11:48 UTC
Looks like you forgot to commit ...
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2006-03-04 08:22:20 UTC
It's in portage: alpha,ppc,x86 please test and mark 1.4.6 stable
Comment 11 Tobias Scherbaum (RETIRED) gentoo-dev 2006-03-05 07:12:03 UTC
ppc stable
Comment 12 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-08 17:09:18 UTC
x86 and alpha, could you please test and mark stable or are there any problems?
Comment 13 Fernando J. Pereda (RETIRED) gentoo-dev 2006-03-09 13:06:17 UTC
Done for alpha and x86, sorry for the delay.
Comment 14 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-12 07:07:43 UTC
GLSA 200603-09

Thanks everybody.