Debian Bug report logs -
#257973
[CAN-2004-0639] Several cross-site scripting issues discovered in 1.2.x (RS-2004-1 'old' issues)
Toggle useless messages
Report forwarded to
debian-bugs-dist@lists.debian.org, team@security.debian.org, Sam Johnston <samj@aos.net.au>:
Bug#257973; Package
squirrelmail.
Full text and
rfc822 format available.
Acknowledgement sent to
Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
New Bug report received and forwarded. Copy sent to
team@security.debian.org, Sam Johnston <samj@aos.net.au>.
Full text and
rfc822 format available.
Message #5 received at submit@bugs.debian.org (full text, mbox):
Package: squirrelmail
Version: 1:1.2.6-1.3
Severity: grave
Tags: woody security
Justification: user security hole
RS-2004-1[1] discusses some XSS issues fixed in 1.2.11 vs 1.2.6. Those
are not yet fixed in woody. This would require a general examination of
the 1.2.x diff I'm afraid.
--Jeroen
[1] http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt
--
Jeroen van Wolffelaar
jeroen@wolffelaar.nl
http://jeroen.A-Eskwadraat.nl
Information forwarded to
debian-bugs-dist@lists.debian.org, Sam Johnston <samj@aos.net.au>:
Bug#257973; Package
squirrelmail.
Full text and
rfc822 format available.
Acknowledgement sent to
Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to
Sam Johnston <samj@aos.net.au>.
Full text and
rfc822 format available.
Message #10 received at 257973@bugs.debian.org (full text, mbox):
On Wed, Jul 07, 2004 at 12:54:19AM +0200, Jeroen van Wolffelaar wrote:
> Package: squirrelmail
> Version: 1:1.2.6-1.3
> Severity: grave
> Tags: woody security
> Justification: user security hole
>
> RS-2004-1[1] discusses some XSS issues fixed in 1.2.11 vs 1.2.6. Those
> are not yet fixed in woody. This would require a general examination of
> the 1.2.x diff I'm afraid.
>
> --Jeroen
>
> [1] http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt
This is different from CAN-2002-1341, which was fixed in DSA-220?
--
- mdz
Information forwarded to
debian-bugs-dist@lists.debian.org, Sam Johnston <samj@aos.net.au>:
Bug#257973; Package
squirrelmail.
Full text and
rfc822 format available.
Acknowledgement sent to
Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Extra info received and forwarded to list. Copy sent to
Sam Johnston <samj@aos.net.au>.
Full text and
rfc822 format available.
Message #15 received at 257973@bugs.debian.org (full text, mbox):
On Tue, Jul 06, 2004 at 05:45:28PM -0700, Matt Zimmerman wrote:
> On Wed, Jul 07, 2004 at 12:54:19AM +0200, Jeroen van Wolffelaar wrote:
>
> > Package: squirrelmail
> > Version: 1:1.2.6-1.3
> > Severity: grave
> > Tags: woody security
> > Justification: user security hole
> >
> > RS-2004-1[1] discusses some XSS issues fixed in 1.2.11 vs 1.2.6. Those
> > are not yet fixed in woody. This would require a general examination of
> > the 1.2.x diff I'm afraid.
> >
> > --Jeroen
> >
> > [1] http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt
>
> This is different from CAN-2002-1341, which was fixed in DSA-220?
Yes, I verified that the example that is quoted in RS-2004-1, showing
$mailer without quoting. So, there were at least some additional issues.
It is quite safe to assume that example isn't the only thing, and then
you have the period 'last 1.2.x release -> 1.4.2', which also might have
had fixes without CAN's.
--Jeroen
--
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl
Information forwarded to
debian-bugs-dist@lists.debian.org, Sam Johnston <samj@aos.net.au>:
Bug#257973; Package
squirrelmail.
Full text and
rfc822 format available.
Acknowledgement sent to
Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to
Sam Johnston <samj@aos.net.au>.
Full text and
rfc822 format available.
Message #20 received at 257973@bugs.debian.org (full text, mbox):
Steven,
We're trying to straighten out the situation with squirrelmail, where there
seem to be a number of unidentified vulnerabilities. Here is one for which
there does not appear to be a candidate yet.
----- Forwarded message from Jeroen van Wolffelaar <jeroen@wolffelaar.nl> -----
Date: Wed, 7 Jul 2004 13:03:26 +0200
From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
To: Matt Zimmerman <mdz@debian.org>
Cc: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>, 257973@bugs.debian.org
Subject: Re: Bug#257973: squirrelmail: RS-2004-1 'old' issues
On Tue, Jul 06, 2004 at 05:45:28PM -0700, Matt Zimmerman wrote:
> On Wed, Jul 07, 2004 at 12:54:19AM +0200, Jeroen van Wolffelaar wrote:
>
> > Package: squirrelmail
> > Version: 1:1.2.6-1.3
> > Severity: grave
> > Tags: woody security
> > Justification: user security hole
> >
> > RS-2004-1[1] discusses some XSS issues fixed in 1.2.11 vs 1.2.6. Those
> > are not yet fixed in woody. This would require a general examination of
> > the 1.2.x diff I'm afraid.
> >
> > --Jeroen
> >
> > [1] http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt
>
> This is different from CAN-2002-1341, which was fixed in DSA-220?
Yes, I verified that the example that is quoted in RS-2004-1, showing
$mailer without quoting. So, there were at least some additional issues.
It is quite safe to assume that example isn't the only thing, and then
you have the period 'last 1.2.x release -> 1.4.2', which also might have
had fixes without CAN's.
--Jeroen
--
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl
----- End forwarded message -----
--
- mdz
Information forwarded to
debian-bugs-dist@lists.debian.org, Sam Johnston <samj@aos.net.au>:
Bug#257973; Package
squirrelmail.
Full text and
rfc822 format available.
Acknowledgement sent to
"Steven M. Christey" <coley@mitre.org>:
Extra info received and forwarded to list. Copy sent to
Sam Johnston <samj@aos.net.au>.
Full text and
rfc822 format available.
Message #25 received at 257973@bugs.debian.org (full text, mbox):
Matt,
>We're trying to straighten out the situation with squirrelmail, where there
>seem to be a number of unidentified vulnerabilities. Here is one for which
>there does not appear to be a candidate yet.
OK...
1) The RS-2004-1 "new" issue was the Content-Type header, which is
already assigned CAN-2004-0520
2) At least 2 "old" issues are specifically mentioned in RS-2004-1,
although a couple other potential issues are also implied.
Use CAN-2004-0639 for this set of issues.
See the current CANs below.
- Steve
======================================================
Candidate: CAN-2004-0520
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0520
Final-Decision:
Interim-Decision:
Modified:
Proposed:
Assigned: 20040602
Category: SF
Reference: BUGTRAQ:20040530 RS-2004-1: SquirrelMail "Content-Type" XSS vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108611554415078&w=2
Reference: MISC:http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt
Reference: MLIST:[squirrelmail-cvs] 20040523 [SM-CVS] CVS: squirrelmail/functions mime.php,1.265.2.27,1.265.2.28
Reference: URL:http://marc.theaimsgroup.com/?l=squirrelmail-cvs&m=108532891231712
Reference: GENTOO:GLSA-200406-08
Reference: URL:http://www.gentoo.org/security/en/glsa/glsa-200406-08.xml
Reference: REDHAT:RHSA-2004:240
Reference: URL:http://rhn.redhat.com/errata/RHSA-2004-240.html
Reference: SGI:20040604-01-U
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20040604-01-U.asc
Reference: BID:10439
Reference: URL:http://www.securityfocus.com/bid/10439
Cross-site scripting (XSS) vulnerability in mime.php for SquirrelMail
before 1.4.3 allows remote attackers to insert arbitrary HTML and
script via the content-type mail header, as demonstrated using
read_body.php.
======================================================
Candidate: CAN-2004-0639
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0639
Final-Decision:
Interim-Decision:
Modified:
Proposed:
Assigned: 20040708
Category: SF
Reference: BUGTRAQ:20040530 RS-2004-1: SquirrelMail "Content-Type" XSS vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108611554415078&w=2
Reference: MISC:http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt
Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=257973
Multiple cross-site scripting (XSS) vulnerabilities in Squirrelmail
1.2.10 and earlier allow remote attackers to inject arbitrary HTML or
script via (1) the $mailer variable in read_body.php, (2) the
$senderNames_part variable in mailbox_display.php, and possibly other
vectors including (3) the $event_title variable or (4) the $event_text
variable.
Changed Bug title.
Request was from
Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
to
control@bugs.debian.org.
Full text and
rfc822 format available.
Owner recorded as Jeroen van Wolffelaar <jeroen@wolffelaar.nl>.
Request was from
"www.wolffelaar.nl" <www-data@wolffelaar.nl>
to
control@bugs.debian.org.
Full text and
rfc822 format available.
Tags added: pending
Request was from
"www.wolffelaar.nl" <www-data@wolffelaar.nl>
to
control@bugs.debian.org.
Full text and
rfc822 format available.
Message sent on to
Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#257973.
Full text and
rfc822 format available.
Message #34 received at 257973-submitter@bugs.debian.org (full text, mbox):
package squirrelmail
# Fixed in r31 by kink
owner 257973 Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
tag 257973 + pending
thanks
These bugs are fixed in revision 31 by kink
and will likely get fixed in the next upload.
Log message:
[CAN-2004-0639] Backport fixes multiple XSS issues found between 1.2.6 and
1.2.12, some exploitable by incoming email (Closes: #257973)
(Thijs)
Tags added: fixed
Request was from
Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
to
control@bugs.debian.org.
Full text and
rfc822 format available.
Reply sent to
Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
You have taken responsibility.
Full text and
rfc822 format available.
Notification sent to
Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug acknowledged by developer.
Full text and
rfc822 format available.
Message #41 received at 257973-done@bugs.debian.org (full text, mbox):
These security issues were resolved in the 1:1.2.6-1.4 security upload.
I'm closing the bugs now, since Sam Johnston and I agreed to maintain
squirrelmail together.
--Jeroen
--
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Feb 9 19:27:34 2010;
Machine Name:
busoni.debian.org
Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.