SOURCES: squirrelmail-sec-CVS.patch (NEW) - Security: MagicHTML fi...
baggins
baggins at pld-linux.org
Thu Feb 2 23:24:14 CET 2006
Author: baggins Date: Thu Feb 2 22:24:13 2006 GMT
Module: SOURCES Tag: HEAD
---- Log message:
- Security: MagicHTML fix for comments in styles which allowed
for cross site scripting when using Internet Explorer (reported
by Scott Hughes) [CVE-2006-0195].
- Multi-line encoded headers were being deleted (#1394667).
- Security: Prohibit IMAP injection attempts (reported by Vicente
Aguilera) [CVE-2006-0377].
- Handle unsollicited responses inside SORT responses properly.
- Security: Fix possible cross site scripting through the right_main
parameter of webmail.php. This now uses a whitelist of acceptable
values. [CVE-2006-0188]
---- Files affected:
SOURCES:
squirrelmail-sec-CVS.patch (NONE -> 1.1) (NEW)
---- Diffs:
================================================================
Index: SOURCES/squirrelmail-sec-CVS.patch
diff -u /dev/null SOURCES/squirrelmail-sec-CVS.patch:1.1
--- /dev/null Thu Feb 2 23:24:13 2006
+++ SOURCES/squirrelmail-sec-CVS.patch Thu Feb 2 23:24:08 2006
@@ -0,0 +1,388 @@
+diff -urNbBw -I '^.*$Id: .*' -x .cvsignore squirrelmail-1.4.6-rc1/ChangeLog squirrelmail.stable/ChangeLog
+--- squirrelmail-1.4.6-rc1/ChangeLog 2005-12-10 15:13:08.000000000 +0100
++++ squirrelmail.stable/ChangeLog 2006-01-31 08:22:13.000000000 +0100
+@@ -2,25 +2,38 @@
+ *** SquirrelMail Stable Series 1.4 ***
+ **************************************
+
++Version 1.4.6 - CVS
++-------------------
++ - Security: MagicHTML fix for comments in styles which allowed
++ for cross site scripting when using Internet Explorer (reported
++ by Scott Hughes) [CVE-2006-0195].
++ - Multi-line encoded headers were being deleted (#1394667).
++ - Security: Prohibit IMAP injection attempts (reported by Vicente
++ Aguilera) [CVE-2006-0377].
++ - Handle unsollicited responses inside SORT responses properly.
++ - Security: Fix possible cross site scripting through the right_main
++ parameter of webmail.php. This now uses a whitelist of acceptable
++ values. [CVE-2006-0188]
++
+ Version 1.4.6 Release Candidate 1 - 10 December 2005
+ ----------------------------------------------------
+ - Added Simple Green, Silver Steel, Wood, Bluesome, Simple Green2 and
+ Simple Purple themes. Contributed by Pavel Spatny, Saku Lehtio
+ (#1188209), Vicky Pyne (#1217066 and #1217069).
+ - Fixes for increased error checking in PHP 5.0.5+ array_shift() (#1237160).
+- [php5]
++ [PHP5]
+ - Added extra checks in Delivery class for In-Reply-To header. Fixes
+- E_NOTICE level warnings in PHP 5.0.4 and later (#1206474). [php5]
++ E_NOTICE level warnings in PHP 5.0.4 and later (#1206474). [PHP5]
+ - Added extra checks in SquirrelMail charset_encode() function in case
+ somebody removes HTML to US-ASCII conversion library (#1239782).
+ - Ported devel fixes for PHP 5.0.4 E_NOTICE warnings in Message class
+- (#1164045). [php5]
++ (#1164045). [PHP5]
+ - Auto Refresh Folder List preference now defaults to 10 Minutes, add
+ option for 20 Minutes.
+ - Fixed inline display of attached jpeg/gif/xbm attachments in Mozilla
+ Firefox.
+ - Fixed invalid reference in src/download.php. E_NOTICE level warnings
+- could corrupt attachments in php 4.4.0.
++ could corrupt attachments in PHP 4.4.0.
+ - Fixed error handling in SquirrelSpell plugin. sprintf and gettext
+ formating errors in check_me.mod. Reported by Edward Chapman.
+ - Allow configure to be ran from any directory, thanks Ceri Davies.
+@@ -49,7 +62,7 @@
+ sqimap_mailbox_exists() check. Reported by Daniel Watts.
+ - Solved function conflict between compatibility and info plugins.
+ - Added PHP register_globals check to configuration test utility.
+- - Added character set conversion to html message parts and html
++ - Added character set conversion to HTML message parts and HTML
+ attachments with character set information (#1258925). Original patch
+ by Peter Draganov (#1195232).
+ - Fixed decoding of quoted-printable text in decodeBody function.
+@@ -216,7 +229,7 @@
+ messages in it. INBOX is used as fallback folder. By default plugin
+ can use only subscribed mail folders that can store messages (#584658).
+ - Added mbstring.func_overload!=0 workaround (#929644, #1061699).
+- src/configtest.php is modified to warn about broken php configuration.
++ src/configtest.php is modified to warn about broken PHP configuration.
+ - Fixed use of squirrelmail_language cookie with PHP register_globals =
+ off.
+ - Interface can default to first language listed in browser's
+@@ -328,7 +341,7 @@
+ line if quoting inline, or below the original email (#906217).
+ - LC_NUMERIC locale is set to C. Some plugins might use decimal delimiters
+ incorrectly (#1027130).
+- - Turkish translation uses C character case conversion rules. Fixes php and
++ - Turkish translation uses C character case conversion rules. Fixes PHP and
+ squirrelmail functions are assume English conversion rules.
+ - Removed X-Mailer header from SquirrelMail. SpamAssassin 3.0 detects
+ User-Agent + X-Priority headers correctly. Older versions have to fix
+@@ -356,7 +369,7 @@
+ backend.
+ - Sanitized nickname and name entries in address listing.
+ - LDAP backend will use internal SquirrelMail charset conversion functions
+- instead of the php xml extension. Closes bug #655137.
++ instead of the PHP XML extension. Closes bug #655137.
+ - Fix two time zone calculation bugs, thanks to David White. Fixes #1063879.
+ - Handle a reload of the signout page gracefully: do not present an error
+ about having to be logged in to be able to sign out. Fixes #1070069.
+@@ -468,7 +481,7 @@
+ - Fix forwarded emails as attachment from appended ) to the email.
+ - Prevent username and password from being sent in error message if IMAP
+ drops connection during login.
+- - Workaround for Mozilla bug #200412 in order to show multipart/related html mail.
++ - Workaround for Mozilla bug #200412 in order to show multipart/related HTML mail.
+ - Fix for disappearing '0' from decoded strings (bug #784193).
+ - Add Minimal BW theme: a colorless environment for browsers that don't support colors.
+ - Replace all session_start() calls with sqsession_is_active() to be compatible
+@@ -514,7 +527,7 @@
+ preferred not to append the sent mail.
+ - Updated plugin documentation.
+ - Added Faroese translation.
+- - Fix for bug #719619 (xhtml-style css definitions weren't working).
++ - Fix for bug #719619 (XHTML-style CSS definitions weren't working).
+ - Fix bug #722933 where resuming a draft message would lose the reference headers.
+ - Fix that sending of read receipts failed when JavaScript on and comp in new off
+ (bug #738130).
+@@ -674,8 +687,8 @@
+ - Added support for displaying multiple entities.
+ - Changed finding display entities.
+ - Extract disposition and xmailer header information in the headerparser
+- instead of request them individualy by an imap-call.
+- - Store message objects in the current session. This saves a lot of imap-calls.
++ instead of request them individualy by an IMAP-call.
++ - Store message objects in the current session. This saves a lot of IMAP-calls.
+ - Added UID support.
+ - Store addresses in an object instead of a string.
+ - Rewrite of the bodystructureparser function. Now the message object contains
+@@ -711,7 +724,7 @@
+ - Fixed dealing with \r\n and \n in smtp.php.
+ - Fixed to, cc, bcc arrays in message->header
+ - Speed optimizements in generating message-lists.
+- - Fixed loss of attachment with html addressbook.
++ - Fixed loss of attachment with HTML addressbook.
+ - Fixed saving drafts with attachments
+
+ Version 1.2.6 -- April 29 2002
+@@ -753,7 +766,7 @@
+ - Added option for WIDTH and HEIGHT tags to Org. Logo. (patch #412754)
+ - Fixed resume draft bug #513521, #514639
+ - Newmail plugin: admin can disable the use of audio (patch #517698)
+- - Fixed quoting problem in safe html (patch #516542)
++ - Fixed quoting problem in safe HTML (patch #516542)
+ - SPAM folder no longer special folder (filters plugin)
+ - Filtering now happens on folder list refresh (filters plugin)
+ - Added checking of input of the folders page
+@@ -765,7 +778,7 @@
+ - Improved the handling of IMAP [PARSE] messages to reduce retrieval error.
+ - Fixed small bug in handeling timezone (bug #536149).
+ - MDN message now RFC compatible (bug #537662).
+- - Fixed html tables in printer_friendly_bottom.php (patch #542367), and
++ - Fixed HTML tables in printer_friendly_bottom.php (patch #542367), and
+ make it so that printer friendly uses black-on-white colors in stead
+ of the theme colors.
+ - Fixed return address of MDN receipts when having multiple identities
+@@ -823,11 +836,11 @@
+ - Disabled prefs caching under PHP 4.1
+ - Added "Search Memory". Enabling to store up to
+ 9 predefined searchs.
+- - Increased security in html message.
+- - Added the possibility to specify system-defined css in order to
++ - Increased security in HTML message.
++ - Added the possibility to specify system-defined CSS in order to
+ allow users to change the font family and size of SM. Making possible to
+ make it bigger or smaller depending on their screen size. Sysops may add
+- or remove these system-defined css located in themes/css/
++ or remove these system-defined CSS located in themes/css/
+ - Fixed a bug appearing on some apache virtual hosts
+ - Fixed javascript error (#505255)
+ - Fixed the db_prefs so they work again (#499609, thanks to Simon Dick)
+@@ -838,7 +851,7 @@
+ - Fixed an infinite loop in printer friendly when wrapping option
+ is not in the prefs.
+ Bug reported by Boris Manojlovic <steki at verat.net>
+- - Html cleanup, with patch from Dave Huang (#496712)
++ - HTML cleanup, with patch from Dave Huang (#496712)
+ - Fixed a problem saving prefs when using PHP 4.1
+ - Russian, Thai, Swedish, Dutch and French update.
+ - Changed configure invocation from bash to sh. (Bug #496752)
+@@ -992,7 +1005,7 @@
+ $folder_prefix
+ - Some problems with header encoding/decoding fixed
+ - Made subject column take up whatever width is available
+- - Added bcc to html addressbook search
++ - Added bcc to HTML addressbook search
+
+ Version 1.0.3 -- March 9, 2001
+ ------------------------------
+@@ -1120,7 +1133,7 @@
+ Version 0.5 -- September 25, 2000
+ ---------------------------------
+ - Fixed some problems with downloading attachments in IE
+- - If no date is set in header, we take internal date of the imap server
++ - If no date is set in header, we take internal date of the IMAP server
+ - Fixed some lingering bugs in mime parsing
+ - Searching specifies CHARSET option
+ - Security fixes
+diff -urNbBw -I '^.*$Id: .*' -x .cvsignore squirrelmail-1.4.6-rc1/ReleaseNotes squirrelmail.stable/ReleaseNotes
+--- squirrelmail-1.4.6-rc1/ReleaseNotes 2005-12-10 15:13:08.000000000 +0100
++++ squirrelmail.stable/ReleaseNotes 2006-01-30 11:04:52.000000000 +0100
+@@ -1,7 +1,7 @@
+ /*****************************************************************
+- * Release Notes: SquirrelMail 1.4.6 Release Candidate 1 *
++ * Release Notes: SquirrelMail 1.4.6 *
+ * The "???" Release *
+- * 10 December 2005 *
++ * 2006 *
+ *****************************************************************/
+
+ In this edition of SquirrelMail Release Notes:
+@@ -39,6 +39,26 @@
+ decoding functions from the development branch, vastly increasing the
+ number of supported character sets and decoding performance.
+
++Security issues
++===============
++
++This release addresses three different security issues found since
++the release of 1.4.5:
++
++- In webmail.php, the right_frame parameter was not properly sanitized
++ to deal with very lenient browsers, which allowed for cross site
++ scripting or frame replacing. [CVE-2006-0188]
++
++- In the MagicHTML function, some very obscure constructs were discovered
++ to be exploitable: 'u\rl' was interpreted as 'url' (privacy concern), and
++ comments could be inside keywords (allows for cross site scripting). Both
++ only affect Internet Explorer users. Found by Martijn Brinkers and
++ Scott Hughes. [CVE-2006-0195]
++
++- The function sqimap_mailbox_select did not strip newlines from the mailbox
++ parameter, and thereby allowed for IMAP command injection. Found by
++ Vicente Aguilera. [CVE-2006-0377]
++
+
+ Major updates
+ ==============
+diff -urNbBw -I '^.*$Id: .*' -x .cvsignore squirrelmail-1.4.6-rc1/class/mime/Rfc822Header.class.php squirrelmail.stable/class/mime/Rfc822Header.class.php
+--- squirrelmail-1.4.6-rc1/class/mime/Rfc822Header.class.php 2005-11-27 09:32:37.000000000 +0100
++++ squirrelmail.stable/class/mime/Rfc822Header.class.php 2006-01-16 11:50:51.000000000 +0100
+@@ -671,6 +671,8 @@
+ } else {
+ $aResults[$sKey] .= $value;
+ }
++ } else {
++ $aResults[$key] = $value;
+ }
+ }
+ foreach ($aCharset as $key) {
+diff -urNbBw -I '^.*$Id: .*' -x .cvsignore squirrelmail-1.4.6-rc1/functions/imap_mailbox.php squirrelmail.stable/functions/imap_mailbox.php
+--- squirrelmail-1.4.6-rc1/functions/imap_mailbox.php 2005-08-11 15:54:19.000000000 +0200
++++ squirrelmail.stable/functions/imap_mailbox.php 2006-01-19 22:15:42.000000000 +0100
+@@ -189,6 +189,9 @@
+ return;
+ }
+
++ // cleanup $mailbox in order to prevent IMAP injection attacks
++ $mailbox = str_replace(array("\r","\n"), array("",""),$mailbox);
++
+ $read = sqimap_run_command($imap_stream, "SELECT \"$mailbox\"",
+ true, $response, $message);
+ $result = array();
+diff -urNbBw -I '^.*$Id: .*' -x .cvsignore squirrelmail-1.4.6-rc1/functions/imap_messages.php squirrelmail.stable/functions/imap_messages.php
+--- squirrelmail-1.4.6-rc1/functions/imap_messages.php 2005-11-08 23:20:12.000000000 +0100
++++ squirrelmail.stable/functions/imap_messages.php 2006-01-28 19:41:33.000000000 +0100
+@@ -110,10 +110,14 @@
+ $uidnext = '*';
+ }
+ $query = "SEARCH UID 1:$uidnext";
+- $uids = sqimap_run_command ($imap_stream, $query, true, $response, $message, true);
++ $uids = sqimap_run_command_list ($imap_stream, $query, true, $response, $message, true);
+ if (isset($uids[0])) {
+- if (preg_match("/^\* SEARCH (.+)$/", $uids[0], $regs)) {
+- $server_sort_array = preg_split("/ /", trim($regs[1]));
++ for ($i=0,$iCnt=count($uids);$i<$iCnt;++$i) {
++ for ($j = 0, $jCnt=count($uids[$i]);$j<$iCnt;++$j) {
++ if (preg_match("/^\* SEARCH (.+)$/", $uids[$i][$j], $regs)) {
++ $server_sort_array += preg_split("/ /", trim($regs[1]));
++ }
++ }
+ }
+ }
+ if (!preg_match("/OK/", $response)) {
+@@ -144,13 +148,14 @@
+ }
+ if (!empty($sort_on[$sort])) {
+ $query = "SORT ($sort_on[$sort]) ".strtoupper($default_charset).' ALL';
+- $sort_test = sqimap_run_command ($imap_stream, $query, true, $response, $message, $uid_support);
++ $sort_test = sqimap_run_command_list ($imap_stream, $query, true, $response, $message, $uid_support);
+ }
+ if (isset($sort_test[0])) {
+ for ($i=0,$iCnt=count($sort_test);$i<$iCnt;++$i) {
+- if (preg_match("/^\* SORT (.+)$/", $sort_test[$i], $regs)) {
+- $server_sort_array = preg_split("/ /", trim($regs[1]));
+- break;
++ for ($j = 0, $jCnt=count($sort_test[$i]);$j<$iCnt;++$j) {
++ if (preg_match("/^\* SORT (.+)$/", $sort_test[$i][$j], $regs)) {
++ $server_sort_array += preg_split("/ /", trim($regs[1]));
++ }
+ }
+ }
+ }
+diff -urNbBw -I '^.*$Id: .*' -x .cvsignore squirrelmail-1.4.6-rc1/functions/mime.php squirrelmail.stable/functions/mime.php
+--- squirrelmail-1.4.6-rc1/functions/mime.php 2005-11-09 22:49:07.000000000 +0100
++++ squirrelmail.stable/functions/mime.php 2006-01-16 11:50:51.000000000 +0100
+@@ -1641,11 +1641,12 @@
+ * Fix stupid css declarations which lead to vulnerabilities
+ * in IE.
+ */
+- $match = Array('/expression/i',
++ $match = Array('/\/\*.*\*\//',
++ '/expression/i',
+ '/behaviou*r/i',
+ '/binding/i',
+ '/include-source/i');
+- $replace = Array('idiocy', 'idiocy', 'idiocy', 'idiocy');
++ $replace = Array('', 'idiocy', 'idiocy', 'idiocy', 'idiocy');
+ $contentNew = preg_replace($match, $replace, $contentTemp);
+ if ($contentNew !== $contentTemp) {
+ // insecure css declarations are used. From now on we don't care
+@@ -2027,6 +2028,7 @@
+ "/^style/i" =>
+ Array(
+ Array(
++ "/\/\*.*\*\//",
+ "/expression/i",
+ "/binding/i",
+ "/behaviou*r/i",
+@@ -2038,6 +2040,7 @@
+ "/(.*)\s*:\s*url\s*\(\s*([\'\"]*)\s*\S+script\s*:.*([\'\"]*)\s*\)/si"
+ ),
+ Array(
++ "",
+ "idiocy",
+ "idiocy",
+ "idiocy",
+diff -urNbBw -I '^.*$Id: .*' -x .cvsignore squirrelmail-1.4.6-rc1/functions/strings.php squirrelmail.stable/functions/strings.php
+--- squirrelmail-1.4.6-rc1/functions/strings.php 2005-12-10 15:13:08.000000000 +0100
++++ squirrelmail.stable/functions/strings.php 2006-01-16 11:50:52.000000000 +0100
+@@ -17,7 +17,7 @@
+ * SquirrelMail version number -- DO NOT CHANGE
+ */
+ global $version;
+-$version = '1.4.6-rc1';
++$version = '1.4.6 [CVS]';
+
+ /**
+ * SquirrelMail internal version number -- DO NOT CHANGE
+diff -urNbBw -I '^.*$Id: .*' -x .cvsignore squirrelmail-1.4.6-rc1/help/en_US/basic.hlp squirrelmail.stable/help/en_US/basic.hlp
+--- squirrelmail-1.4.6-rc1/help/en_US/basic.hlp 2005-11-13 13:15:18.000000000 +0100
++++ squirrelmail.stable/help/en_US/basic.hlp 2005-12-10 20:33:50.000000000 +0100
+@@ -8,7 +8,7 @@
+ </summary>
+ <description>
+ <p>
+- So what exactly is <a href="http://www.squirrelmail.org/index.php3?from=1">SquirrelMail</a>?
++ So what exactly is <a href="http://www.squirrelmail.org/">SquirrelMail</a>?
+ It's a web interface to email that's written in <a href="http://www.php.net">PHP</a>.
+ It was designed to allow email access through your server from
+ anywhere in the world via the Web. More information about exactly
+diff -urNbBw -I '^.*$Id: .*' -x .cvsignore squirrelmail-1.4.6-rc1/src/webmail.php squirrelmail.stable/src/webmail.php
+--- squirrelmail-1.4.6-rc1/src/webmail.php 2005-11-09 23:44:28.000000000 +0100
++++ squirrelmail.stable/src/webmail.php 2006-01-31 08:22:13.000000000 +0100
+@@ -137,26 +137,29 @@
+ $right_frame = '';
+ }
+
+-
+-if ($right_frame == 'right_main.php') {
+- $urlMailbox = urlencode($mailbox);
+- $right_frame_url = "right_main.php?mailbox=$urlMailbox"
++switch($right_frame) {
++ case 'right_main.php':
++ $right_frame_url = "right_main.php?mailbox=".urlencode($mailbox)
+ . (!empty($sort)?"&sort=$sort":'')
+ . (!empty($startMessage)?"&startMessage=$startMessage":'');
+-} elseif ($right_frame == 'options.php') {
++ break;
++ case 'options.php':
+ $right_frame_url = 'options.php';
+-} elseif ($right_frame == 'folders.php') {
++ break;
++ case 'folders.php':
+ $right_frame_url = 'folders.php';
+-} elseif ($right_frame == 'compose.php') {
++ break;
++ case 'compose.php':
+ $right_frame_url = 'compose.php?' . $mailto;
+-} else if ($right_frame == '') {
++ break;
++ case '':
+ $right_frame_url = 'right_main.php';
+-} else {
+- $right_frame_url = htmlspecialchars($right_frame);
++ break;
++ default:
++ $right_frame_url = urlencode($right_frame);
++ break;
+ }
+
+-
+-
+ if ($location_of_bar == 'right') {
+ $output .= "<frame src=\"$right_frame_url\" name=\"right\" frameborder=\"1\" />\n" .
+ "<frame src=\"left_main.php\" name=\"left\" frameborder=\"1\" />\n";
================================================================
More information about the pld-cvs-commit
mailing list