Bug 160242

Summary: CAN-2005-1769 Multiple XSS issues in squirrelmail
Product: [Fedora] Fedora Reporter: Josh Bressers <bressers>
Component: squirrelmailAssignee: Warren Togami <wtogami>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4CC: lsomike, michal, security-response-team, wtogami
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: public=20050615,impact=moderate,source=vendor-sec,reported=20050612
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-08-22 19:51:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Josh Bressers 2005-06-13 19:33:39 UTC 
+++ This bug was initially created as a clone of Bug #160241 +++

We, the SquirrelMail project, plan on publicizing the attached patch
upcoming Wednesday, June 15th 2005. We're sending it here to give you
some advance notice to prepare for this if you want to. Sorry for the
short notice but this was mainly caused by the finding of some
additional issues.

- It contains fixes for several cross site scripting attacks, most by
URL manipulation, and some by sending a specially crafted HTML email.
- The attached patch is tentative; further testing or further revealed
issues may warrant changes between now and the release.
- The patch is made against the 1.4.4-release version of SquirrelMail.
- Please do not disclose information about this vulnerability until
Wednesday.
- Credits to many of the findings go to Martijn Brinkers.
Comment 1 Josh Bressers 2005-06-13 19:34:47 UTC 
This issue should also affect FC3

The fix for this issue is attachment 115373 [details]
Comment 2 Josh Bressers 2005-06-14 21:33:01 UTC 
The latest patch is attachment 115434 [details].
Comment 3 Warren Togami 2005-07-01 01:50:20 UTC 
*** Bug 162189 has been marked as a duplicate of this bug. ***
Comment 4 Mike 2005-08-06 19:24:20 UTC 
Are there any plans to release this as an RPM for FC3 in the near future, I
couldn't even find it in FC3 testing yet?  See: 

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=160241
http://rhn.redhat.com/errata/RHSA-2005-595.html

for additional fixes for the address book.

Mike Klinke
Comment 5 Warren Togami 2005-08-15 10:26:00 UTC 
http://people.redhat.com/wtogami/temp/squirrel/
Please test this RPM here on FC3 or FC4.  Upstream's 1.4.5 release was screwed
and unusable, so I added everything in 1.4.6 CVS to this test package.  This
might actually allow squirrelmail to run on FC4's PHP5 too while solving the
security issues.

I know that more fixes are required before pushing this as a FC3 & FC4 update,
but your testing is required to help me figure out exactly what needs fixing.
Comment 6 Mike 2005-08-15 16:57:12 UTC 
Thanks!,

I've downloaded it and upgraded my FC3 testbox with it.  At first blush
everything looks fine.  I'll poke at it for a few days.

Regards, Mike Klinke
Comment 7 Mike 2005-08-20 14:24:09 UTC 
I've run this on FC3 for a few days, and so far, I haven't run into any
surprises in my normal usage.

Regards, Mike Klinke
Comment 8 Kevin Fenzi 2005-08-22 19:29:10 UTC 
I've run the rpm from Comment #5 for about a week now on a small server... about
10-15 squirrelmail users and no reports of any problems. 

It's running on FC4. 

Kevin
Comment 9 Fedora Update System 2005-08-22 19:51:45 UTC 
From User-Agent: XML-RPC

squirrelmail-1.4.6-0.cvs20050812.1.fc4 has been pushed for FC4, which should resolve this issue.

If these issues are still present in this version, then please re-open this bug.
Comment 10 Mike 2005-08-22 20:07:45 UTC 
Does this need to be reopened again for FC3?

Regards, Mike Klinke