Red Hat Bugzilla – Bug 197368
CVE-2006-3174 Squirrelmail XSS flaw
Last modified: 2007-11-30 17:07:26 EST
Squirrelmail XSS flaw A cross site scripting bug was found in the way squirrelmail displays the "mailbox" parameter when passed to the search.php script. This issue is only an issue when register_globals is enabled, which is not suggested under any circumstances. The original report is here: http://pridels.blogspot.com/2006/06/squirrelmail-151-xss-vuln.html The patch is here: http://squirrelmail.cvs.sourceforge.net/squirrelmail/squirrelmail/src/search.php?r1=1.92.2.15&r2=1.92.2.16 This issue also affects RHEL3
XSS issues that work only in register_globals=on don't apply to SquirrelMail 1.4.7 and 1.5.1. You can't claim rg=on XSS exploit in standard SquirrelMail scripts, because these SquirrelMail versions have code that removes all registered global variables. If exploit is present, it is present in both rg=on and rg=off setups. http://pridels.blogspot.com report provides misleading information. There is no 1.5.1-20060409 version. SquirrelMail uses 1.5.2cvs tag since 2006-02-12 and SquirrelMail devel version removes all globals since 2005-12-20. 1.5.1-20060409 is 1.5.1 locales release tag. Original report does not say anything about RG=on. Maybe such information is present in their closed forum.
I did some research on this issue today. I'm under the impression this isn't a vulnerability given the information floating around. Upstream cannot reproduce this, the report is vague and misleading. After viewing the source in question I fail to see how this is even possible (with or without register_globals). I'm closing this NOTABUG. Thanks for the information.