Hello all, A new vulnerability has been discovered in SquirrelMail. The file src/options_identities.php contained some very bad, legacy code: an extract($_POST) was done, effectively allowing a malicious attacker to change session variables and even other people's preferences. It must be noted that for this to happen you need to trick someone into using an external form to post the information which is not trivial. Affected versions: 1.4.0 - 1.4.5-RC1
Hello all, A new vulnerability has been discovered in SquirrelMail. The file src/options_identities.php contained some very bad, legacy code: an extract($_POST) was done, effectively allowing a malicious attacker to change session variables and even other people's preferences. It must be noted that for this to happen you need to trick someone into using an external form to post the information which is not trivial. Affected versions: 1.4.0 - 1.4.5-RC1 (current stable tree) 1.2.8 - 1.2.10 (unsupported old stable tree) 1.5.x CVS (unsupported current development tree) Not vulnerable: Everything before 1.2.8. Our proposed patch is attached; unfortunately we had to rework some functions to fix them the right way because the previous code really depended to the extract() call. We will release 1.4.5 sometime next week with the patch included. Fixes for unsupported trees will be applied to their CVS branches but no new releases will be made. Credits for finding the issue go to James Bercegay of GulfTech Security Research. Regards, Thijs Kinkhorst SquirrelMail Development Team
Created attachment 62382 [details, diff] sqm_144_ident.diff
Jeremy please advise. This seems rather hard to exploit. If you want some prerelease testing please attach an updated ebuild to this bug. Do NOT commit anything to Portage.
Yeah... I tend to agree with Thijs that this is rather difficult to exploit. Combine that with the extensive nature of the changes here, and I'd prefer to wait for upstream to finish testing with their 1.4.5 release with the fix next week.
Ok, we'll wait on this one. Jeremy will you watch upstream for a new release?
1.4.5 will be released on Wednesday, we could just as well decide on GLSA publication already. I tend to vote NO.
Yes I vote NO too.
Now public
*** Bug 98917 has been marked as a duplicate of this bug. ***
Jeremy : please bump to 1.4.5 final
in portage. ppc needs to mark stable.
Stable on PPC
Reverting half NO to full NO -> Closing without GLSA. Thx everyone.
and don't forget to close :)