Debian Bug report logs - #167471
Squirrel Mail 1.2.7 XSS exploit not entirely fixed in 1.2.8

version graph

Package: squirrelmail; Maintainer for squirrelmail is Jeroen van Wolffelaar <jeroen@wolffelaar.nl>; Source for squirrelmail is src:squirrelmail.

Reported by: Matt Zimmerman <mdz@debian.org>

Date: Sat, 2 Nov 2002 17:48:01 UTC

Severity: grave

Tags: fixed, patch, security, sid

Found in version 1.2.8-1

Fixed in version squirrelmail/1:1.4.2-1

Done: Sam Johnston <samj@aos.net.au>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Sam Johnston <samj@debian.org>, squirrelmail@packages.qa.debian.org:
Bug#167471; Package squirrelmail. Full text and rfc822 format available.

Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
New Bug report received and forwarded. Copy sent to Sam Johnston <samj@debian.org>, squirrelmail@packages.qa.debian.org. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Matt Zimmerman <mdz@debian.org>
To: submit@bugs.debian.org
Subject: Squirrel Mail 1.2.7 XSS exploit not entirely fixed in 1.2.8
Date: Sat, 2 Nov 2002 12:44:19 -0500
Package: squirrelmail
Version: 1.2.8-1
Severity: grave
Tags: security

On Sat, Nov 02, 2002 at 03:48:20PM +0100, Martin Schulze wrote:

> -----------------------
> I finally found
> 
> strip_tags($_SERVER['PHP_SELF']);
> 
> in global.php.
> 
> However, shouldn't this read
> 
> $_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']);
> 
> in order to be useful?
> -----------------------

Yes, according to the documentation you are correct.  strip_tags only
returns the stripped string; it does not modify its argument.  1.2.8-1
contains the broken invocation:

/* strip any tags added to the url from PHP_SELF.
   This fixes hand crafted url XXS expoits for any
   page that uses PHP_SELF as the FORM action */

strip_tags($_SERVER['PHP_SELF']);

-- 
 - mdz



Tags added: fixed Request was from Martin Schulze <joey@infodrom.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Sam Johnston <samj@debian.org>, squirrelmail@packages.qa.debian.org:
Bug#167471; Package squirrelmail. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Sam Johnston <samj@debian.org>, squirrelmail@packages.qa.debian.org. Full text and rfc822 format available.

Message #12 received at 167471@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: 167471@bugs.debian.org
Subject: Security NMU for Squirrelmail
Date: Fri, 8 Nov 2002 16:10:32 +0100
tags 167471 patch fixed sid
thanks

Hi,

in order to provide our users with a useful update for unstable as well and
since this bug is known to the maintainer for a week at least, I've decided
to NMU the package for unstable to fix the XSS bug finally.

Here's the patch I've used.  Please apply it to the next maintainer
upload.  Upstream was informed at the same time as the maintainer
was, so should be aware of it as well.

diff -u squirrelmail-1.2.8/debian/changelog squirrelmail-1.2.8/debian/changelog
--- squirrelmail-1.2.8/debian/changelog
+++ squirrelmail-1.2.8/debian/changelog
@@ -1,3 +1,11 @@
+squirrelmail (1:1.2.8-1.1) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team
+  * Fix cross site scripting problem (DSA 191, CAN-2002-1131, closes:
+    Bug#167471)
+
+ -- Martin Schulze <joey@infodrom.org>  Thu,  7 Nov 2002 15:14:15 +0100
+
 squirrelmail (1:1.2.8-1) unstable; urgency=low
 
   * New upstream release
only in patch2:
--- squirrelmail-1.2.8.orig/src/global.php
+++ squirrelmail-1.2.8/src/global.php
@@ -48,7 +48,7 @@
    This fixes hand crafted url XXS expoits for any
    page that uses PHP_SELF as the FORM action */
 
-strip_tags($_SERVER['PHP_SELF']);
+$_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']);
 
 function sqstripslashes(&$array) {
     foreach ($array as $index=>$value) {


Regards,

	Joey

-- 
The only stupid question is the unasked one.

Please always Cc to me when replying to me on the lists.



Tags added: patch, fixed, sid Request was from Martin Schulze <joey@infodrom.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Sam Johnston <samj@aos.net.au>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Matt Zimmerman <mdz@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #19 received at 167471-close@bugs.debian.org (full text, mbox):

From: Sam Johnston <samj@aos.net.au>
To: 167471-close@bugs.debian.org
Subject: Bug#167471: fixed in squirrelmail 1:1.4.2-1
Date: Tue, 07 Oct 2003 11:17:44 -0400
Source: squirrelmail
Source-Version: 1:1.4.2-1

We believe that the bug you reported is fixed in the latest version of
squirrelmail, which is due to be installed in the Debian FTP archive:

squirrelmail_1.4.2-1.diff.gz
  to pool/main/s/squirrelmail/squirrelmail_1.4.2-1.diff.gz
squirrelmail_1.4.2-1.dsc
  to pool/main/s/squirrelmail/squirrelmail_1.4.2-1.dsc
squirrelmail_1.4.2-1_all.deb
  to pool/main/s/squirrelmail/squirrelmail_1.4.2-1_all.deb
squirrelmail_1.4.2.orig.tar.gz
  to pool/main/s/squirrelmail/squirrelmail_1.4.2.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 167471@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sam Johnston <samj@aos.net.au> (supplier of updated squirrelmail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon,  6 Oct 2003 07:44:12 +1000
Source: squirrelmail
Binary: squirrelmail
Architecture: source all
Version: 1:1.4.2-1
Distribution: unstable
Urgency: medium
Maintainer: Sam Johnston <samj@aos.net.au>
Changed-By: Sam Johnston <samj@aos.net.au>
Description: 
 squirrelmail - Webmail for nuts
Closes: 146416 150338 163995 165753 167471 173367 175773 178951 179166 180108 185602 188143 188441 188631 189602 190315 190923 191028 191856 192239 193680 198747 200108 201022 202368 204058 205572
Changes: 
 squirrelmail (1:1.4.2-1) unstable; urgency=medium
 .
   * New upstream release. Closes: #204058.
   * Significant improvements over (broken) 1.4.0-1 package.
   * PHP compatability fixes. Closes: #202368.
   * conf.pl corrupts theme paths issue resolved.
     Closes: #175773, #180108, #188441, #190315, #190923, #191028.
   * Backwards compatible with stripped path themes (previous debs).
   * Highlighting issue (1.4.0) resolved. Closes: #188631.
   * Rendering issues with problem emails resolved. Closes: #205572.
   * Resource utilisation improvements. Closes: #191856, #189602.
   * README reference to upstream INSTALL document updated.
     Closes: #173367, 178951.
   * All known XSS exploits resolved. Closes: #167471.
   * Folder list refreshes on login. Closes: #165753.
   * $domain variable set to contents of /etc/hostname. Closes: #198747.
   * Trims of HTTP_HOST port number for use in SMTP HELO. Closes: #200108.
   * Fails gracefully when IMAP server unavailable. Closes: #192239.
   * Recommends rather than depends on spell checker. Closes: #193680.
   * DirectoryIndex directive added to apache.conf. Closes: #201022.
   * Plugin config(s) moved to /etc. Closes: #146416.
   * Properly handles accents and tildes in To:, Subject: etc headers.
     Closes: #150338, #179166.
   * No (broken) 'Save' button in printable version. Closes: #185602.
   * Removes /usr/share/squirrelmail/data iff is is a symbolic link.
     Closes: #188143.
   * Resolves policy violation by replacing conf.pl (executable in /etc)
     with a symlink to /usr/sbin/squirrelmail-configure. Closes: #163995.
Files: 
 ad56c9f1ce04b69c732385c7f13af880 582 web optional squirrelmail_1.4.2-1.dsc
 b0c56513bb92936f5da392202553038d 2873562 web optional squirrelmail_1.4.2.orig.tar.gz
 50154c6194e295c551a9dd919f1904c8 11549 web optional squirrelmail_1.4.2-1.diff.gz
 abedcecac43a2516e52d3a6289ca8ea0 2876250 web optional squirrelmail_1.4.2-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/gtKSj4XJViLpTR0RAhYdAKCBdhSIhfhfPJe5GIuBtRIvrYKTCACfdYtt
amjKRfbDtZYkid9K7FA0Wvk=
=k0KE
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 13:42:50 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.