Debian Bug report logs - #257973
[CAN-2004-0639] Several cross-site scripting issues discovered in 1.2.x (RS-2004-1 'old' issues)

version graph

Package: squirrelmail; Maintainer for squirrelmail is (unknown);

Reported by: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>

Date: Tue, 6 Jul 2004 23:03:02 UTC

Owned by: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>

Severity: grave

Tags: fixed, security, woody

Found in version 1:1.2.6-1.3

Done: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Sam Johnston <samj@aos.net.au>:
Bug#257973; Package squirrelmail. (full text, mbox, link).


Acknowledgement sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Sam Johnston <samj@aos.net.au>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: squirrelmail: RS-2004-1 'old' issues
Date: Wed, 7 Jul 2004 00:54:19 +0200
Package: squirrelmail
Version: 1:1.2.6-1.3
Severity: grave
Tags: woody security
Justification: user security hole

RS-2004-1[1] discusses some XSS issues fixed in 1.2.11 vs 1.2.6. Those
are not yet fixed in woody. This would require a general examination of
the 1.2.x diff I'm afraid.

--Jeroen

[1] http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt

-- 
Jeroen van Wolffelaar
jeroen@wolffelaar.nl
http://jeroen.A-Eskwadraat.nl



Information forwarded to debian-bugs-dist@lists.debian.org, Sam Johnston <samj@aos.net.au>:
Bug#257973; Package squirrelmail. (full text, mbox, link).


Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Sam Johnston <samj@aos.net.au>. (full text, mbox, link).


Message #10 received at 257973@bugs.debian.org (full text, mbox, reply):

From: Matt Zimmerman <mdz@debian.org>
To: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>, 257973@bugs.debian.org
Subject: Re: Bug#257973: squirrelmail: RS-2004-1 'old' issues
Date: Tue, 6 Jul 2004 17:45:28 -0700
On Wed, Jul 07, 2004 at 12:54:19AM +0200, Jeroen van Wolffelaar wrote:

> Package: squirrelmail
> Version: 1:1.2.6-1.3
> Severity: grave
> Tags: woody security
> Justification: user security hole
> 
> RS-2004-1[1] discusses some XSS issues fixed in 1.2.11 vs 1.2.6. Those
> are not yet fixed in woody. This would require a general examination of
> the 1.2.x diff I'm afraid.
> 
> --Jeroen
> 
> [1] http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt

This is different from CAN-2002-1341, which was fixed in DSA-220?

-- 
 - mdz



Information forwarded to debian-bugs-dist@lists.debian.org, Sam Johnston <samj@aos.net.au>:
Bug#257973; Package squirrelmail. (full text, mbox, link).


Acknowledgement sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Extra info received and forwarded to list. Copy sent to Sam Johnston <samj@aos.net.au>. (full text, mbox, link).


Message #15 received at 257973@bugs.debian.org (full text, mbox, reply):

From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
To: Matt Zimmerman <mdz@debian.org>
Cc: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>, 257973@bugs.debian.org
Subject: Re: Bug#257973: squirrelmail: RS-2004-1 'old' issues
Date: Wed, 7 Jul 2004 13:03:26 +0200
On Tue, Jul 06, 2004 at 05:45:28PM -0700, Matt Zimmerman wrote:
> On Wed, Jul 07, 2004 at 12:54:19AM +0200, Jeroen van Wolffelaar wrote:
> 
> > Package: squirrelmail
> > Version: 1:1.2.6-1.3
> > Severity: grave
> > Tags: woody security
> > Justification: user security hole
> > 
> > RS-2004-1[1] discusses some XSS issues fixed in 1.2.11 vs 1.2.6. Those
> > are not yet fixed in woody. This would require a general examination of
> > the 1.2.x diff I'm afraid.
> > 
> > --Jeroen
> > 
> > [1] http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt
> 
> This is different from CAN-2002-1341, which was fixed in DSA-220?

Yes, I verified that the example that is quoted in RS-2004-1, showing
$mailer without quoting. So, there were at least some additional issues.

It is quite safe to assume that example isn't the only thing, and then
you have the period 'last 1.2.x release -> 1.4.2', which also might have
had fixes without CAN's.

--Jeroen

-- 
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl



Information forwarded to debian-bugs-dist@lists.debian.org, Sam Johnston <samj@aos.net.au>:
Bug#257973; Package squirrelmail. (full text, mbox, link).


Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Sam Johnston <samj@aos.net.au>. (full text, mbox, link).


Message #20 received at 257973@bugs.debian.org (full text, mbox, reply):

From: Matt Zimmerman <mdz@debian.org>
To: "Steven M. Christey" <coley@mitre.org>
Cc: 257973@bugs.debian.org, jeroen@wolffelaar.nl
Subject: [CAN request]: Re: Bug#257973: squirrelmail: RS-2004-1 'old' issues]
Date: Wed, 7 Jul 2004 09:10:00 -0700
Steven,

We're trying to straighten out the situation with squirrelmail, where there
seem to be a number of unidentified vulnerabilities.  Here is one for which
there does not appear to be a candidate yet.

----- Forwarded message from Jeroen van Wolffelaar <jeroen@wolffelaar.nl> -----

Date: Wed, 7 Jul 2004 13:03:26 +0200
From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
To: Matt Zimmerman <mdz@debian.org>
Cc: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>, 257973@bugs.debian.org
Subject: Re: Bug#257973: squirrelmail: RS-2004-1 'old' issues

On Tue, Jul 06, 2004 at 05:45:28PM -0700, Matt Zimmerman wrote:
> On Wed, Jul 07, 2004 at 12:54:19AM +0200, Jeroen van Wolffelaar wrote:
> 
> > Package: squirrelmail
> > Version: 1:1.2.6-1.3
> > Severity: grave
> > Tags: woody security
> > Justification: user security hole
> > 
> > RS-2004-1[1] discusses some XSS issues fixed in 1.2.11 vs 1.2.6. Those
> > are not yet fixed in woody. This would require a general examination of
> > the 1.2.x diff I'm afraid.
> > 
> > --Jeroen
> > 
> > [1] http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt
> 
> This is different from CAN-2002-1341, which was fixed in DSA-220?

Yes, I verified that the example that is quoted in RS-2004-1, showing
$mailer without quoting. So, there were at least some additional issues.

It is quite safe to assume that example isn't the only thing, and then
you have the period 'last 1.2.x release -> 1.4.2', which also might have
had fixes without CAN's.

--Jeroen

-- 
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl

----- End forwarded message -----

-- 
 - mdz



Information forwarded to debian-bugs-dist@lists.debian.org, Sam Johnston <samj@aos.net.au>:
Bug#257973; Package squirrelmail. (full text, mbox, link).


Acknowledgement sent to "Steven M. Christey" <coley@mitre.org>:
Extra info received and forwarded to list. Copy sent to Sam Johnston <samj@aos.net.au>. (full text, mbox, link).


Message #25 received at 257973@bugs.debian.org (full text, mbox, reply):

From: "Steven M. Christey" <coley@mitre.org>
To: mdz@debian.org
Cc: 257973@bugs.debian.org, jeroen@wolffelaar.nl, "Steven M. Christey" <coley@mitre.org>
Subject: Re: [CAN request]: Re: Bug#257973: squirrelmail: RS-2004-1 'old' issues]
Date: Thu, 8 Jul 2004 15:43:45 -0400 (EDT)
Matt,

>We're trying to straighten out the situation with squirrelmail, where there
>seem to be a number of unidentified vulnerabilities.  Here is one for which
>there does not appear to be a candidate yet.

OK...

1) The RS-2004-1 "new" issue was the Content-Type header, which is
   already assigned CAN-2004-0520

2) At least 2 "old" issues are specifically mentioned in RS-2004-1,
   although a couple other potential issues are also implied.

   Use CAN-2004-0639 for this set of issues.

See the current CANs below.

- Steve




======================================================
Candidate: CAN-2004-0520
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0520
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20040602
Category: SF
Reference: BUGTRAQ:20040530 RS-2004-1: SquirrelMail "Content-Type" XSS vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108611554415078&w=2
Reference: MISC:http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt
Reference: MLIST:[squirrelmail-cvs] 20040523 [SM-CVS] CVS: squirrelmail/functions mime.php,1.265.2.27,1.265.2.28
Reference: URL:http://marc.theaimsgroup.com/?l=squirrelmail-cvs&m=108532891231712
Reference: GENTOO:GLSA-200406-08
Reference: URL:http://www.gentoo.org/security/en/glsa/glsa-200406-08.xml
Reference: REDHAT:RHSA-2004:240
Reference: URL:http://rhn.redhat.com/errata/RHSA-2004-240.html
Reference: SGI:20040604-01-U
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20040604-01-U.asc
Reference: BID:10439
Reference: URL:http://www.securityfocus.com/bid/10439

Cross-site scripting (XSS) vulnerability in mime.php for SquirrelMail
before 1.4.3 allows remote attackers to insert arbitrary HTML and
script via the content-type mail header, as demonstrated using
read_body.php.



======================================================
Candidate: CAN-2004-0639
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0639
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20040708
Category: SF
Reference: BUGTRAQ:20040530 RS-2004-1: SquirrelMail "Content-Type" XSS vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108611554415078&w=2
Reference: MISC:http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt
Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=257973

Multiple cross-site scripting (XSS) vulnerabilities in Squirrelmail
1.2.10 and earlier allow remote attackers to inject arbitrary HTML or
script via (1) the $mailer variable in read_body.php, (2) the
$senderNames_part variable in mailbox_display.php, and possibly other
vectors including (3) the $event_title variable or (4) the $event_text
variable.








Changed Bug title. Request was from Jeroen van Wolffelaar <jeroen@wolffelaar.nl> to control@bugs.debian.org. (full text, mbox, link).


Owner recorded as Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Request was from "www.wolffelaar.nl" <www-data@wolffelaar.nl> to control@bugs.debian.org. (full text, mbox, link).


Tags added: pending Request was from "www.wolffelaar.nl" <www-data@wolffelaar.nl> to control@bugs.debian.org. (full text, mbox, link).


Message sent on to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#257973. (full text, mbox, link).


Message #34 received at 257973-submitter@bugs.debian.org (full text, mbox, reply):

From: "www.wolffelaar.nl" <www-data@wolffelaar.nl>
To: control@bugs.debian.org, 257973-submitter@bugs.debian.org
Subject: Squirrelmail bugs fixed in revision r31
Date: Fri, 30 Jul 2004 23:52:43 +0200
package squirrelmail
# Fixed in r31 by kink
owner 257973 Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
tag 257973 + pending
thanks

These bugs are fixed in revision 31 by kink
and will likely get fixed in the next upload.
Log message:
[CAN-2004-0639] Backport fixes multiple XSS issues found between 1.2.6 and
1.2.12, some exploitable by incoming email (Closes: #257973)
(Thijs)






Tags added: fixed Request was from Jeroen van Wolffelaar <jeroen@wolffelaar.nl> to control@bugs.debian.org. (full text, mbox, link).


Reply sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug acknowledged by developer. (full text, mbox, link).


Message #41 received at 257973-done@bugs.debian.org (full text, mbox, reply):

From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
To: 257961-done@bugs.debian.org, 257972-done@bugs.debian.org, 257973-done@bugs.debian.org
Subject: Resolved in 1:1.2.6-1.4
Date: Tue, 21 Sep 2004 15:58:45 +0200
These security issues were resolved in the 1:1.2.6-1.4 security upload.
I'm closing the bugs now, since Sam Johnston and I agreed to maintain
squirrelmail together.

--Jeroen

-- 
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 00:52:34 2025; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.