Bug 152734 - SquirrelMail Folder Name Cross-Site Scripting Vulnerability
SquirrelMail Folder Name Cross-Site Scripting Vulnerability
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: Package request (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://www.securityfocus.com/bid/1024...
LEGACY, QA, rh90
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-06-08 18:30 EDT by Marc Deslauriers
Modified: 2014-01-21 17:51 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-05 19:09:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:25:35 EST
It has been reported that SquirrelMail is affected by a cross-site scripting
vulnerability in the handling of folder name displays. This issue is due to a
failure of the application to properly sanitize user-supplied input prior to
including it in dynamic web content.

This issue may allow for theft of cookie-based authentication credentials. Other
attacks are also possible.



------- Additional Comments From marcdeslauriers@videotron.ca 2004-06-08 18:33:44 ----

Upgrading to the latest version seems to be the strategy the vendors are employing.

More info:
http://www.squirrelmail.org/
http://www.gentoo.org/security/en/glsa/glsa-200405-16.xml




------- Additional Comments From marcdeslauriers@videotron.ca 2004-06-08 19:01:17 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are packages for rh9 rebuilt from FC:

cfc467e761da1794e1888a41569d08d864f4724b
squirrelmail-1.4.3-0.f0.9.1.legacy.noarch.rpm
57dcc03aafc29e356e8c9bd81b2076829de5507e  squirrelmail-1.4.3-0.f0.9.1.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/9/squirrelmail-1.4.3-0.f0.9.1.legacy.noarch.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/squirrelmail-1.4.3-0.f0.9.1.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAxpmLLMAs/0C4zNoRAkFeAKCrmTFRR/EWQoYEUKl1CWepRPYc7gCfXhyU
0wHnKgY8Veq75gLX4gg9BsY=
=jCUI
-----END PGP SIGNATURE-----




------- Additional Comments From jonny.strom@netikka.fi 2004-06-09 12:26:06 ----

I did a QA on the RH 9 packages.

SHA1 is ok.
Installs ok.
Spec file is missing CAN reference.
I did not do a functionallity test, so can someone with SquirrelMail
in a working enviroment QA the functionallity.

Other that that so dose it look ok.



------- Additional Comments From marcdeslauriers@videotron.ca 2004-06-09 13:18:26 ----

CAN reference should go in advisory as there is no security patch in the spec
file, it's a version upgrade.




------- Additional Comments From jkeating@j2solutions.net 2004-06-16 18:23:07 ----

pushed to updates-testing:

  http://download.fedoralegacy.org/redhat/
 
c11465630aac1834c37b9af25dc77bccfd1785be 
9/updates-testing/SRPMS/squirrelmail-1.4.3-0.f0.9.1.legacy.src.rpm
de580a0c9f0b5d8129b0dc5b11671ce9c8e8446f 
9/updates-testing/i386/squirrelmail-1.4.3-0.f0.9.1.legacy.noarch.rpm



------- Additional Comments From marcdeslauriers@videotron.ca 2004-08-04 12:38:40 ----

CAN references for advisory (may not all be applicable, must validate):

CAN-2004-0519 - Multiple cross-site scripting (XSS) vulnerabilities
 in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary
 script as other users and possibly steal authentication information
 via multiple attack vectors, including the mailbox parameter in
 compose.php.

 CAN-2004-0520 - Cross-site scripting (XSS) vulnerability in mime.php
 for SquirrelMail before 1.4.3 allows remote attackers to insert
 arbitrary HTML and script via the content-type mail header, as
 demonstrated using read_body.php.

 CAN-2004-0521 - SQL injection vulnerability in SquirrelMail before
 1.4.3 RC1 allows remote attackers to execute unauthorized SQL
 statements, with unknown impact, probably via abook_database.php.

 CAN-2004-0639 - Multiple cross-site scripting (XSS) vulnerabilities
 in Squirrelmail 1.2.10 and earlier allow remote attackers to inject
 arbitrary HTML or script via (1) the $mailer variable in
 read_body.php, (2) the $senderNames_part variable in
 mailbox_display.php, and possibly other vectors including (3) the
 $event_title variable or (4) the $event_text variable.




------- Additional Comments From mule@umich.edu 2004-09-09 08:14:58 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
de580a0c9f0b5d8129b0dc5b11671ce9c8e8446f 
squirrelmail-1.4.3-0.f0.9.1.legacy.noarch.rpm
c11465630aac1834c37b9af25dc77bccfd1785be  squirrelmail-1.4.3-0.f0.9.1.legacy.src.rpm
 
For Red Hat 9:
* builds from source
* installs
 
VERIFY
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFBQJ1NTsaUa9pp4VIRAiT9AKCzPxEk+oguR95LsM50yAEE3qrq5gCeIdxi
r/n4zCInNzwM4KL0KlK7FYM=
=RmuY
-----END PGP SIGNATURE-----




------- Additional Comments From dom@earth.li 2004-09-19 08:16:04 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

c11465630aac1834c37b9af25dc77bccfd1785be  squirrelmail-1.4.3-0.f0.9.1.legacy.src
.rpm
de580a0c9f0b5d8129b0dc5b11671ce9c8e8446f  squirrelmail-1.4.3-0.f0.9.1.legacy.noa
rch.rpm

Installs fine
SRPM builds fine

VERIFY
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBTcyuYzuFKFF44qURAmCPAKDuVSanukgwTNEMpIafjo4YVFzyqwCgvhEp
y1WGxF0T+J4qbtm2t0ny4LA=
=L9rD
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2004-09-30 15:16:56 ----

CAN-2004-0639 does not apply as the last rh9 update before this one was 1.2.11.

You can use this as a guide:
https://rhn.redhat.com/errata/RHSA-2004-240.html




------- Additional Comments From dom@earth.li 2004-10-01 14:18:58 ----

I will release this tonight:
http://www-astro.physics.ox.ac.uk/~dom/legacy/advisories/1733-squirrelmail-draft.txt



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:25 -------

This bug previously known as bug 1733 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1733
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.


Note You need to log in before you can comment on or make changes to this bug.