Bug 197368 - CVE-2006-3174 Squirrelmail XSS flaw
CVE-2006-3174 Squirrelmail XSS flaw
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: squirrelmail (Show other bugs)
All Linux
medium Severity low
: ---
: ---
Assigned To: Warren Togami
: Security
Depends On:
  Show dependency treegraph
Reported: 2006-06-30 12:47 EDT by Josh Bressers
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-08-24 16:47:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2006-06-30 12:47:26 EDT
Squirrelmail XSS flaw

A cross site scripting bug was found in the way squirrelmail displays
the "mailbox" parameter when passed to the search.php script.

This issue is only an issue when register_globals is enabled, which is
not suggested under any circumstances.

The original report is here:

The patch is here:

This issue also affects RHEL3
Comment 1 Tomas 2006-07-30 16:24:22 EDT
XSS issues that work only in register_globals=on don't apply to SquirrelMail
1.4.7 and 1.5.1. You can't claim rg=on XSS exploit in standard SquirrelMail
scripts, because these SquirrelMail versions have code that removes all
registered global variables. If exploit is present, it is present in both rg=on
and rg=off setups. http://pridels.blogspot.com report provides misleading
information. There is no 1.5.1-20060409 version. SquirrelMail uses 1.5.2cvs tag
since 2006-02-12 and SquirrelMail devel version removes all globals since
2005-12-20.  	1.5.1-20060409 is 1.5.1 locales release tag.

Original report does not say anything about RG=on. Maybe such information is
present in their closed forum.
Comment 3 Josh Bressers 2006-08-24 16:47:14 EDT
I did some research on this issue today.  I'm under the impression this isn't a
vulnerability given the information floating around.  Upstream cannot reproduce
this, the report is vague and misleading.  After viewing the source in question
I fail to see how this is even possible (with or without register_globals).

I'm closing this NOTABUG.  Thanks for the information.

Note You need to log in before you can comment on or make changes to this bug.