[Full-Disclosure] Re: RS-2004-1: SquirrelMail "Content-Type" XSS vulnerability

From: Roman Medina (roman_at_rs-labs.com)
Date: 06/02/04

  • Next message: Mandrake Linux Security Team: "[Full-Disclosure] MDKSA-2004:054 - Updated mod_ssl package fix remote vulnerability"
    To: lupe@lupe-christoph.de (Lupe Christoph)
    Date: Wed, 02 Jun 2004 01:49:01 +0200

    On Tue, 1 Jun 2004 23:13:32 +0200, you wrote:

    >On Sunday, 2004-05-30 at 03:15:44 +0200, Roman Medina wrote:
    >> I also noticed that latest Debian stable distro ships a very old
    >> version of SquirrelMail, which is vulnerable to several old XSS bugs
    >> (in addition to the new one).
    >The latest Stable is itself quite old. Debian does not release very
    >often. But security bugs are fixed when they become known. I have not
    >found any bug report concerning XSS in the Debian bugs database. Please
    >be so kind and file bugs if you are running Debian. If not, please mail
    >the Debian Security Team as described in
    > http://www.de.debian.org/security/faq#contact

     The point here is that it is not easy or always possible to track any
    error being corrected on every software. In other words, many
    vendors/developers silently fixes bugs and they don't necesarily have
    to know who is packaging their software and inform them. Mix this with
    the (IMHO) too much conservative Debian's policy, beat well and you've
    got it :-)

     I did not performed an exhaustive check. Simply I chose some of the
    latest 2.x versions from changelog where it was listed the string
    "XSS", I had the strong feeling that the bug would be still present in
    Debian stable. And I guessed it :)

     The result is listed in my advisory. Quoting from it:

    " I chose between two beautiful bugs:

    roman@rs-labs:~$ diff -ur squirrelmail-1.2.10/src/read_body.php
    @@ -976,7 +977,7 @@
                          "<TD BGCOLOR=\"$color[0]\" ALIGN=RIGHT
    VALIGN=TOP>" .
                                _("Mailer") . ': '.
                          "</TD><TD BGCOLOR=\"$color[0]\" VALIGN=TOP
    colspan=2>" .
    - - "<B>$mailer</B>&nbsp;" .
    + "<B>" . htmlentities($mailer) . "</B>&nbsp;"
                          '</TD>' .
                       "</TR>" . "\n";
    roman@rs-labs:~$ diff -ur
    @@ -59,7 +59,7 @@
                 if ($senderName != '') {
                     $senderName .= ', ';
    - - $senderName .=
    + $senderName .=

     I repeat that I didn't test other versions (and I haven't more time
    to spend on this). I've placed Debian security team email on CC but
    you should know that I informed Sam (Debian maintainer for SM) of all
    this issues. Indeed I've exchanged many mails with SM team / Sam (both
    of them always being on CC / To). The final advisory also was sent to
    Sam before the release. I supposed he would release new .deb packages.
    I don't know what happened.


    PGP Fingerprint:
    09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
    [Key ID: 0xEAD56742. Available at KeyServ]
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Mandrake Linux Security Team: "[Full-Disclosure] MDKSA-2004:054 - Updated mod_ssl package fix remote vulnerability"