Red Hat Bugzilla – Bug 197368
CVE-2006-3174 Squirrelmail XSS flaw
Last modified: 2007-11-30 17:07:26 EST
Squirrelmail XSS flaw
A cross site scripting bug was found in the way squirrelmail displays
the "mailbox" parameter when passed to the search.php script.
This issue is only an issue when register_globals is enabled, which is
not suggested under any circumstances.
The original report is here:
The patch is here:
This issue also affects RHEL3
XSS issues that work only in register_globals=on don't apply to SquirrelMail
1.4.7 and 1.5.1. You can't claim rg=on XSS exploit in standard SquirrelMail
scripts, because these SquirrelMail versions have code that removes all
registered global variables. If exploit is present, it is present in both rg=on
and rg=off setups. http://pridels.blogspot.com report provides misleading
information. There is no 1.5.1-20060409 version. SquirrelMail uses 1.5.2cvs tag
since 2006-02-12 and SquirrelMail devel version removes all globals since
2005-12-20. 1.5.1-20060409 is 1.5.1 locales release tag.
Original report does not say anything about RG=on. Maybe such information is
present in their closed forum.
I did some research on this issue today. I'm under the impression this isn't a
vulnerability given the information floating around. Upstream cannot reproduce
this, the report is vague and misleading. After viewing the source in question
I fail to see how this is even possible (with or without register_globals).
I'm closing this NOTABUG. Thanks for the information.