[UNIX] SquirrelMail Cross Site Scripting in Encoded Text

From: SecuriTeam (support_at_securiteam.com)
Date: 11/17/04

  • Next message: SecuriTeam: "[EXPL] Kerio Personal Firewall Multiple IP Options DoS PoC" 
    To: list@securiteam.com
Date: 17 Nov 2004 14:07:22 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      SquirrelMail Cross Site Scripting in Encoded Text
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.squirrelmail.org> SquirrelMail is "a standards-based webmail
    package written in PHP4. It includes built-in pure PHP support for the
    IMAP and SMTP protocols, and all pages render in pure HTML 4.0 (with no
    JavaScript required) for maximum compatibility across browsers. It has
    very few requirements and is very easy to configure and install.
    SquirrelMail has all the functionality you would want from an email
    client, including strong MIME support, address books, and folder
    manipulation".

    There is a cross site scripting issue in SqurrielMail's decoding of
    encoded text in certain headers. SquirrelMail correctly decodes the
    specially crafted header, but doesn't sanitize the decoded strings.

    DETAILS

    Vulnerable Systems:
     * SquirrelMail version 1.4.3a and earlier
     * SquirrelMail version 1.5.1-cvs before 23rd October 2004

    Immune Systems:
     * SquirrelMail version 1.4.3a (patched)
     * SquirrelMail version 1.4.4
     * SquirrelMail version 1.5.1-cvs after 23rd October 2004

    Resolution:
    A patch has been published to resolve this issue for the SquirrelMail
    1.4.3a branch, and can be downloaded from here:
    <http://prdownloads.sourceforge.net/squirrelmail/sm143a-xss.diff?download>
    http://prdownloads.sourceforge.net/squirrelmail/sm143a-xss.diff?download

    To apply this patch, copy the sm143a-xss.diff file into the base
    SquirrelMail directory, and follow the command:

      patch -p0 < sm143a-xss.diff

    Those using SquirrelMail 1.5.1-cvs should update using CVS, or use a copy
    of the latest snapshot downloadable from the SquirrelMail website at:
    <http://www.squirrelmail.org> http://www.squirrelmail.org

    ADDITIONAL INFORMATION

    The information has been provided by Joost Pol.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] Kerio Personal Firewall Multiple IP Options DoS PoC"

    Relevant Pages