Martijn Brinkers discovered that Squirrelmail contains several cross site scripting attacks, most by URL manipulation, and some by sending a specially crafted HTML email.
This will be made public on Wednesday, June 15th 2005
Created attachment 61134 [details, diff]
Tentative patch from upstream, applies on 1.4.4-release
Cc-ing eradicator so that he gets ready to patch on disclosure date.
eradicator: please do not commit anything in Portage until this is made public.
Created attachment 61189 [details, diff]
New patch version from Squirrelmail team
Created attachment 61245 [details, diff]
Now public -> opening.
Eradicator please bump.
*** Bug 96223 has been marked as a duplicate of this bug. ***
The patch breaks addressbook for me:
PHP Parse error: parse error, unexpected '=' in /webmail/src/addressbook.php
on line 346
(In reply to comment #7)
@@ -343,6 +343,7 @@
/* Get and sort address list */
$alist = $abook->list_addr();
+ $abook_error = htmlspecialchars($abook_error);
Note the underscore instead of a dash.
Adding the net-mail herd.
eradicator/net-mail : please bump (see comment #8)
eradicator is away. Acting on behalf of net-mail herd, bumped with patch from
http://prdownloads.sourceforge.net/squirrelmail/sqm-144-xss.patch which fixed
the line mentioned in comment #8. All keywords dropped to ~arch.
Thx Tuan, I informed upstream about the problem a few days ago. Now back to
Stable on SPARC.
Stable on ppc.
Almost ready for GLSA decision, I vote YES.
stable on amd64:
< KEYWORDS="~alpha ~amd64 ppc sparc ~x86"
> KEYWORDS="~alpha amd64 ppc sparc ~x86"
note that x86 is still testing
stable on x86.
This one is ready for GLSA decision.
I vote YES too.
*** Bug 96795 has been marked as a duplicate of this bug. ***