[Full-Disclosure] Re: RS-2004-1: SquirrelMail "Content-Type" XSS vulnerability

From: Roman Medina (roman_at_rs-labs.com)
Date: 06/02/04

  • Next message: Mandrake Linux Security Team: "[Full-Disclosure] MDKSA-2004:054 - Updated mod_ssl package fix remote vulnerability"
    To: lupe@lupe-christoph.de (Lupe Christoph)
    Date: Wed, 02 Jun 2004 01:49:01 +0200
    
    

    On Tue, 1 Jun 2004 23:13:32 +0200, you wrote:

    >On Sunday, 2004-05-30 at 03:15:44 +0200, Roman Medina wrote:
    >
    >> I also noticed that latest Debian stable distro ships a very old
    >> version of SquirrelMail, which is vulnerable to several old XSS bugs
    >> (in addition to the new one).
    >
    >The latest Stable is itself quite old. Debian does not release very
    >often. But security bugs are fixed when they become known. I have not
    >found any bug report concerning XSS in the Debian bugs database. Please
    >be so kind and file bugs if you are running Debian. If not, please mail
    >the Debian Security Team as described in
    > http://www.de.debian.org/security/faq#contact

     The point here is that it is not easy or always possible to track any
    error being corrected on every software. In other words, many
    vendors/developers silently fixes bugs and they don't necesarily have
    to know who is packaging their software and inform them. Mix this with
    the (IMHO) too much conservative Debian's policy, beat well and you've
    got it :-)

     I did not performed an exhaustive check. Simply I chose some of the
    latest 2.x versions from changelog where it was listed the string
    "XSS", I had the strong feeling that the bug would be still present in
    Debian stable. And I guessed it :)

     The result is listed in my advisory. Quoting from it:

    " I chose between two beautiful bugs:

    roman@rs-labs:~$ diff -ur squirrelmail-1.2.10/src/read_body.php
    squirrelmail-1.2.11/src/read_body.php
    @@ -976,7 +977,7 @@
                          "<TD BGCOLOR=\"$color[0]\" ALIGN=RIGHT
    VALIGN=TOP>" .
                                _("Mailer") . ': '.
                          "</TD><TD BGCOLOR=\"$color[0]\" VALIGN=TOP
    colspan=2>" .
    - - "<B>$mailer</B>&nbsp;" .
    + "<B>" . htmlentities($mailer) . "</B>&nbsp;"
    .
                          '</TD>' .
                       "</TR>" . "\n";
      
    roman@rs-labs:~$ diff -ur
    squirrelmail-1.2.10/functions/mailbox_display.php
    squirrelmail-1.2.11/functions/mailbox_display.php
     require_once('../functions/strings.php');
    @@ -59,7 +59,7 @@
                 if ($senderName != '') {
                     $senderName .= ', ';
                 }
    - - $senderName .=
    sqimap_find_displayable_name($senderNames_part);
    + $senderName .=
    htmlentities(sqimap_find_displayable_name($senderNames_part));
             }
         }
    "

     I repeat that I didn't test other versions (and I haven't more time
    to spend on this). I've placed Debian security team email on CC but
    you should know that I informed Sam (Debian maintainer for SM) of all
    this issues. Indeed I've exchanged many mails with SM team / Sam (both
    of them always being on CC / To). The final advisory also was sent to
    Sam before the release. I supposed he would release new .deb packages.
    I don't know what happened.

     Saludos,
     --Roman

    --
    PGP Fingerprint:
    09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
    [Key ID: 0xEAD56742. Available at KeyServ]
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: Mandrake Linux Security Team: "[Full-Disclosure] MDKSA-2004:054 - Updated mod_ssl package fix remote vulnerability"

    Relevant Pages

    • Re: Want to work with a Linux Group
      ... reporting bugs there are basically two things Debian developers do, ... The first step is to decide on which package you want to work. ... Request for adoption - a new maintainer is needed but the old one ...
      (Debian-User)
    • Re: Running testing? -- read this.
      ... I'm just an average Testing user, have been for a while, and around me almost every Debian users I know are using Testing, mostly because it's the Debian's flavour which can compare with other distros in term of being usable on a reasonably new computer, with up-to-date softwares. ... be considered a developer-only version, and according to my experience (i use it for work, along with Ubuntu stations... ... better still (it has NEWER packages!), but Unstable must not work well, ... You will also get the pleasure of finding all the bugs, ...
      (Debian-User)
    • Re: Debian has turned unusable.
      ... I must say, Debian is quite good ... typically suffers from fewer bugs than unstable/sid. ... testing but was unhappy with it and finally went to sarge. ...
      (Debian-User)
    • cdrdao insecure filehandling
      ... Debian Package of CDRDAO, a program to write audio or mixed ... After i found these Bugs i stopped to search for more Bugs. ... the Debian Package Maintainer and the Debian ...
      (Bugtraq)
    • Re: update in sid has killed gnome-terminal
      ... worked through most of the Debian problems too. ... adept at making Debian packages but every now and then a problem occurs ... discover bugs and fix the bugs if they have the expertise (but ... The Open Source Business Network in SA ...
      (Debian-User)