Bug 239647 (CVE-2007-1262)

Summary: CVE-2007-1262 XSS through HTML message in squirrelmail
Product: [Other] Security Response Reporter: Mark J. Cox <mjc>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: eric.eisenhart, mbacovsk
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.squirrelmail.org/security/issue/2007-05-09
Whiteboard:
Fixed In Version: RHSA-2007-0358 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-05-17 15:12:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 239648, 239649, 239650, 239651    
Bug Blocks:    

Description Mark J. Cox 2007-05-10 09:29:40 UTC 
http://www.squirrelmail.org/security/issue/2007-05-09
reports
Description:
    There's an ongoing battle to further secure the HTML filter against
malicious HTML mail and the browsers that accept almost any malformed piece of HTML.

    This release contains fixes for the following:
    - HTML attachments containing "data:" URLs;
    - Internet Explorer in various versions accepts many permutations of HTML
    and JavaScript in many charsets. We now properly canonicalize the incoming
    HTML to us-ascii before applying further filters. IE only.
    - Request forgery through images. It was possible to include "images" in
    HTML mails which were in fact GET requests for the compose.php page sending
    mail. These images are now properly detected, and the compose form will only
    send mail through a POST request.
Affected Versions:
    1.4.0-1.4.9a
Register Globals:
    Register_globals does not have to be on for this issue. 
CVE id('s):
    CVE-2007-1262
Patch:
    http://www.squirrelmail.org/patches/1.4.10-security/
Comment 2 Red Hat Bugzilla 2007-05-17 15:12:18 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0358.html