Bug 197368

Summary: CVE-2006-3174 Squirrelmail XSS flaw
Product: Red Hat Enterprise Linux 4 Reporter: Josh Bressers <bressers>
Component: squirrelmailAssignee: Warren Togami <wtogami>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: medium    
Version: 4.0Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: source=cve,reported=20060622,impact=low,public=20060606
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-08-24 20:47:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Josh Bressers 2006-06-30 16:47:26 UTC 
Squirrelmail XSS flaw

A cross site scripting bug was found in the way squirrelmail displays
the "mailbox" parameter when passed to the search.php script.

This issue is only an issue when register_globals is enabled, which is
not suggested under any circumstances.

The original report is here:
http://pridels.blogspot.com/2006/06/squirrelmail-151-xss-vuln.html

The patch is here:
http://squirrelmail.cvs.sourceforge.net/squirrelmail/squirrelmail/src/search.php?r1=1.92.2.15&r2=1.92.2.16


This issue also affects RHEL3
Comment 1 Tomas 2006-07-30 20:24:22 UTC 
XSS issues that work only in register_globals=on don't apply to SquirrelMail
1.4.7 and 1.5.1. You can't claim rg=on XSS exploit in standard SquirrelMail
scripts, because these SquirrelMail versions have code that removes all
registered global variables. If exploit is present, it is present in both rg=on
and rg=off setups. http://pridels.blogspot.com report provides misleading
information. There is no 1.5.1-20060409 version. SquirrelMail uses 1.5.2cvs tag
since 2006-02-12 and SquirrelMail devel version removes all globals since
2005-12-20.  	1.5.1-20060409 is 1.5.1 locales release tag.

Original report does not say anything about RG=on. Maybe such information is
present in their closed forum.
Comment 3 Josh Bressers 2006-08-24 20:47:14 UTC 
I did some research on this issue today.  I'm under the impression this isn't a
vulnerability given the information floating around.  Upstream cannot reproduce
this, the report is vague and misleading.  After viewing the source in question
I fail to see how this is even possible (with or without register_globals).

I'm closing this NOTABUG.  Thanks for the information.