lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <424qb0hejaasctgams01s0hd8s1roapkc7@4ax.com>
From: roman at rs-labs.com (Roman Medina)
Subject: Re: RS-2004-1: SquirrelMail "Content-Type" XSS vulnerability

On Tue, 1 Jun 2004 23:13:32 +0200, you wrote:

>On Sunday, 2004-05-30 at 03:15:44 +0200, Roman Medina wrote:
>
>> I also noticed that latest Debian stable distro ships a very old
>> version of SquirrelMail, which is vulnerable to several old XSS bugs
>> (in addition to the new one).
>
>The latest Stable is itself quite old. Debian does not release very
>often. But security bugs are fixed when they become known. I have not
>found any bug report concerning XSS in the Debian bugs database. Please
>be so kind and file bugs if you are running Debian. If not, please mail
>the Debian Security Team as described in
>  http://www.de.debian.org/security/faq#contact

 The point here is that it is not easy or always possible to track any
error being corrected on every software. In other words, many
vendors/developers silently fixes bugs and they don't necesarily have
to know who is packaging their software and inform them. Mix this with
the (IMHO) too much conservative Debian's policy, beat well and you've
got it :-)

 I did not performed an exhaustive check. Simply I chose some of the
latest 2.x versions from changelog where it was listed the string
"XSS", I had the strong feeling that the bug would be still present in
Debian stable. And I guessed it :)

 The result is listed in my advisory. Quoting from it:

"  I chose between two beautiful bugs:

roman@...labs:~$ diff -ur squirrelmail-1.2.10/src/read_body.php
squirrelmail-1.2.11/src/read_body.php
@@ -976,7 +977,7 @@
                      "<TD BGCOLOR=\"$color[0]\" ALIGN=RIGHT
VALIGN=TOP>" .
                            _("Mailer") . ': '.
                      "</TD><TD BGCOLOR=\"$color[0]\" VALIGN=TOP
colspan=2>" .
- -                        "<B>$mailer</B>&nbsp;" .
+                        "<B>" . htmlentities($mailer) . "</B>&nbsp;"
.
                      '</TD>' .
                   "</TR>" . "\n";
  
roman@...labs:~$ diff -ur
squirrelmail-1.2.10/functions/mailbox_display.php
squirrelmail-1.2.11/functions/mailbox_display.php
 require_once('../functions/strings.php');
@@ -59,7 +59,7 @@
             if ($senderName != '') {
                 $senderName .= ', ';
             }
- -            $senderName .=
sqimap_find_displayable_name($senderNames_part);
+            $senderName .=
htmlentities(sqimap_find_displayable_name($senderNames_part));
         }
     }
"

 I repeat that I didn't test other versions (and I haven't more time
to spend on this). I've placed Debian security team email on CC but
you should know that I informed Sam (Debian maintainer for SM) of all
this issues. Indeed I've exchanged many mails with SM team / Sam (both
of them always being on CC / To). The final advisory also was sent to
Sam before the release. I supposed he would release new .deb packages.
I don't know what happened.

 Saludos,
 --Roman

--
PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ