diff -u squirrelmail-1.4.6/functions/global.php squirrelmail-1.4.6/functions/global.php
--- squirrelmail-1.4.6/functions/global.php
+++ squirrelmail-1.4.6/functions/global.php
@@ -102,13 +102,29 @@
}
}
-
-
-/* strip any tags added to the url from PHP_SELF.
- This fixes hand crafted url XXS expoits for any
- page that uses PHP_SELF as the FORM action */
-
-$_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']);
+/**
+ * Strip any tags added to the url from PHP_SELF.
+ * This fixes hand crafted url XXS expoits for any
+ * page that uses PHP_SELF as the FORM action.
+ * Must be executed before strings.php is loaded (php_self() call in strings.php).
+ * Update: strip_tags() won't catch something like
+ * src/right_main.php?sort=0&startMessage=1&mailbox=INBOX&xxx=">
+ * or
+ * contrib/decrypt_headers.php/%22%20onmouseover=%22alert(%27hello%20world%27)%22%3E
+ * because it doesn't bother with broken tags.
+ * htmlspecialchars() is the preferred method.
+ */
+if (isset($_SERVER['PHP_SELF'])) {
+ $_SERVER['PHP_SELF'] = htmlspecialchars($_SERVER['PHP_SELF']);
+}
+/*
+ * same needed for QUERY_STRING because SquirrelMail
+ * uses it along with PHP_SELF when using location
+ * strings
+ */
+if (isset($_SERVER['QUERY_STRING'])) {
+ $_SERVER['QUERY_STRING'] = htmlspecialchars($_SERVER['QUERY_STRING']);
+}
/**
* returns true if current php version is at mimimum a.b.c
diff -u squirrelmail-1.4.6/functions/mime.php squirrelmail-1.4.6/functions/mime.php
--- squirrelmail-1.4.6/functions/mime.php
+++ squirrelmail-1.4.6/functions/mime.php
@@ -1814,6 +1814,12 @@
/**
* Fix stupid css declarations which lead to vulnerabilities
* in IE.
+ *
+ * Also remove "position" attribute, as it can easily be set
+ * to "fixed" or "absolute" with "left" and "top" attributes
+ * of zero, taking over the whole content frame. It can also
+ * be set to relative and move itself anywhere it wants to,
+ * displaying content in areas it shouldn't be allowed to touch.
*/
$match = Array('/\/\*.*\*\//',
'/expression/i',
@@ -1821,8 +1827,9 @@
'/binding/i',
'/include-source/i',
'/javascript/i',
- '/script/i');
- $replace = Array('','idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy');
+ '/script/i',
+ '/position/i');
+ $replace = Array('','idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', '');
$contentNew = preg_replace($match, $replace, $contentTemp);
if ($contentNew !== $contentTemp) {
// insecure css declarations are used. From now on we don't care
@@ -2209,12 +2216,28 @@
"/binding/i",
"/behaviou*r/i",
"/include-source/i",
- "/position\s*:\s*absolute/i",
+
+ // position:relative can also be exploited
+ // to put content outside of email body area
+ // and position:fixed is similarly exploitable
+ // as position:absolute, so we'll remove it
+ // altogether....
+ //
+ // Does this screw up legitimate HTML messages?
+ // If so, the only fix I see is to allow position
+ // attributes (any values? I think we still have
+ // to block static and fixed) only if $use_iframe
+ // is enabled (1.5.0+)
+ //
+ // was: "/position\s*:\s*absolute/i",
+ //
+ "/position\s*:/i",
+
"/(\\\\)?u(\\\\)?r(\\\\)?l(\\\\)?/i",
"/url\s*\(\s*([\'\"])\s*\S+script\s*:.*([\'\"])\s*\)/si",
"/url\s*\(\s*([\'\"])\s*mocha\s*:.*([\'\"])\s*\)/si",
"/url\s*\(\s*([\'\"])\s*about\s*:.*([\'\"])\s*\)/si",
- "/(.*)\s*:\s*url\s*\(\s*([\'\"]*)\s*\S+script\s*:.*([\'\"]*)\s*\)/si"
+ "/(.*)\s*:\s*url\s*\(\s*([\'\"]*)\s*\S+script\s*:.*([\'\"]*)\s*\)/si",
),
Array(
"",
diff -u squirrelmail-1.4.6/debian/changelog squirrelmail-1.4.6/debian/changelog
--- squirrelmail-1.4.6/debian/changelog
+++ squirrelmail-1.4.6/debian/changelog
@@ -1,3 +1,36 @@
+squirrelmail (2:1.4.6-1ubuntu0.4) dapper-security; urgency=low
+
+ * SECURITY UPDATE: (LP: #375513)
+ * Multiple cross site scripting issues. Two issues were fixed that both
+ allowed an attacker to run arbitrary script (XSS) on most any
+ SquirrelMail page by getting the user to click on specially crafted
+ SquirrelMail links.
+ - http://squirrelmail.org/security/issue/2009-05-08
+ - CVE-2009-1578
+ - Patch taken from upstream svn rev. 13670. Applied inline.
+ * Cross site scripting issues in decrypt_headers.php. An issue was fixed
+ wherein input to the contrib/decrypt_headers.php script was not sanitized
+ and allowed arbitrary script execution upon submission of certain values.
+ - http://squirrelmail.org/security/issue/2009-05-09
+ - CVE-2009-1578
+ - Patch taken from upstream svn rev. 13672. Applied inline.
+ * Server-side code injection in map_yp_alias username map. An issue was
+ fixed that allowed arbitrary server-side code execution when SquirrelMail
+ was configured to use the example "map_yp_alias" username mapping
+ functionality.
+ - http://squirrelmail.org/security/issue/2009-05-10
+ - CVE-2009-1579
+ - Patch taken from upstream svn rev. 13674. Applied inline.
+ * CSS positioning vulnerability. An issue was fixed that allowed phishing
+ and cross-site scripting (XSS) attacks to be run by surreptitious
+ placement of content in specially-crafted emails sent to SquirrelMail
+ users.
+ - http://squirrelmail.org/security/issue/2009-05-12
+ - CVE-2009-1581
+ - Patch taken from upstream svn rev. 13667. Applied inline.
+
+ -- Andreas Wenning Tue, 12 May 2009 23:49:37 +0200
+
squirrelmail (2:1.4.6-1ubuntu0.3) dapper-security; urgency=low
* SECURITY UPDATE: Possible cookie theft in src/redirect.php if
diff -u squirrelmail-1.4.6/debian/control squirrelmail-1.4.6/debian/control
--- squirrelmail-1.4.6/debian/control
+++ squirrelmail-1.4.6/debian/control
@@ -1,7 +1,8 @@
Source: squirrelmail
Section: web
Priority: optional
-Maintainer: Jeroen van Wolffelaar
+Maintainer: Ubuntu MOTU Developers
+XSBC-Original-Maintainer: Jeroen van Wolffelaar
Uploaders: Thijs Kinkhorst , Sam Johnston
Build-Depends: debhelper (>= 5)
Standards-Version: 3.6.2
only in patch2:
unchanged:
--- squirrelmail-1.4.6.orig/contrib/decrypt_headers.php
+++ squirrelmail-1.4.6/contrib/decrypt_headers.php
@@ -31,7 +31,7 @@
define('SM_PATH','../');
/**
- * include SquirrelMail string functions
+ * include SquirrelMail string and generic functions
* script needs OneTimePadDecrypt() (functions/strings.php)
* and sqgetGlobalVar() (functions/global.php, loaded by strings.php)
*/
@@ -73,23 +73,30 @@
."";
if (sqgetGlobalVar('submit',$submit,SQ_POST)) {
+ $continue = TRUE;
if (! sqgetGlobalVar('secret',$secret,SQ_POST) ||
- empty($secret))
- echo "