166538 – CAN-2005-1769 Multiple XSS issues in squirrelmail

Bug 166538 - CAN-2005-1769 Multiple XSS issues in squirrelmail

Summary: CAN-2005-1769 Multiple XSS issues in squirrelmail

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	squirrelmail
Sub Component:
Version:	3
Hardware:	i686
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Warren Togami
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-08-23 03:57 UTC by Mike
Modified:	2007-11-30 22:11 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-08-23 04:34:12 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Mike 2005-08-23 03:57:11 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050719 Fedora/1.7.10-1.3.1

Description of problem:
See the bug listed here.  Although much of the conversation concerned FC3 that bug was closed out today when FC4 was addressed but no mention of a resolution on FC3.

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=160242

The initial description was:

+++ This bug was initially created as a clone of Bug #160241 +++

We, the SquirrelMail project, plan on publicizing the attached patch
upcoming Wednesday, June 15th 2005. We're sending it here to give you
some advance notice to prepare for this if you want to. Sorry for the
short notice but this was mainly caused by the finding of some
additional issues.

- It contains fixes for several cross site scripting attacks, most by
URL manipulation, and some by sending a specially crafted HTML email.
- The attached patch is tentative; further testing or further revealed
issues may warrant changes between now and the release.
- The patch is made against the 1.4.4-release version of SquirrelMail.
- Please do not disclose information about this vulnerability until
Wednesday.
- Credits to many of the findings go to Martijn Brinkers.


Warren built a new FC3/FC4 rpm for testing:

---------------
http://people.redhat.com/wtogami/temp/squirrel/
Please test this RPM here on FC3 or FC4.  Upstream's 1.4.5 release was screwed
and unusable, so I added everything in 1.4.6 CVS to this test package.  This
might actually allow squirrelmail to run on FC4's PHP5 too while solving the
security issues.

I know that more fixes are required before pushing this as a FC3 & FC4 update,
but your testing is required to help me figure out exactly what needs fixing.
----------------


I asked earlier today if we need to reopen the bug for FC3 but since there was no response,  I'll open a new bug just so it doesnt slip through the cracks.



Version-Release number of selected component (if applicable):
squirrelmail-1.4.3a-6.FC3

How reproducible:
Always

Steps to Reproduce:
1. Use squirrelmail
2.
3.
  

Additional info:

Comment 1 Warren Togami 2005-08-23 04:34:12 UTC

Haven't you seen the FC3 update announcement and new package in the repository?

Note You need to log in before you can comment on or make changes to this bug.