Your message dated Thu, 3 Feb 2005 10:10:44 +0100 (CET)
with message-id <[EMAIL PROTECTED]>
and subject line Bug#293381: vulnerable to another XSS hole (CAN-2005-0104)
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 2 Feb 2005 20:43:31 +0000
>From [EMAIL PROTECTED] Wed Feb 02 12:43:30 2005
Return-path: <[EMAIL PROTECTED]>
Received: from kitenet.net [64.62.161.42] (postfix)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CwRLW-0000o1-00; Wed, 02 Feb 2005 12:43:30 -0800
Received: from dragon.kitenet.net (unknown [66.168.94.144])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "Joey Hess", Issuer "Joey Hess" (verified OK))
by kitenet.net (Postfix) with ESMTP id 2BDA117F21
for <[EMAIL PROTECTED]>; Wed, 2 Feb 2005 20:43:30 +0000 (GMT)
Received: by dragon.kitenet.net (Postfix, from userid 1000)
id 5DC7A6F08C; Wed, 2 Feb 2005 15:45:53 -0500 (EST)
Date: Wed, 2 Feb 2005 15:45:53 -0500
From: Joey Hess <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: vulnerable to another XSS hole (CAN-2005-0104)
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="yNb1oOkm5a9FJOVX"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--yNb1oOkm5a9FJOVX
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: squirrelmail
Version: 2:1.4.4-1
Tags: security
Severity: grave
Seems that squirrelmail in unstable is still vulnerable to the
cross-site scripting hole CAN-2005-0104. The mail below has some
details and a patch against the woody version follows. The CAN-2005-0152
part of the patch is not relevant, but most of the webmail.php patch
will apply to the unstable version.
----- Forwarded message from Martin Schulze <[EMAIL PROTECTED]> -----
=46rom: Martin Schulze <[EMAIL PROTECTED]>
Date: Wed, 2 Feb 2005 12:29:21 +0100
To: Joey Hess <[EMAIL PROTECTED]>
Subject: Re: [SECURITY] [DSA 662-1] New squirrelmail package fixes several =
vulnerabilities
User-Agent: Mutt/1.5.6+20040907i
Joey Hess wrote:
> Martin Schulze wrote:
> > CAN-2005-0104
> >=20
> > Upstream developers noticed that an unsanitised variable could
> > lead to cross site scripting.
>=20
> The changelog for squirrelmail 2:1.4.4-1 says that the CAN for the XSS
> hole is -0103, not -104. Which is wrong, or is this a different hole?
It's a different hole. Woody is not vulnerable to 0103 and we thought
that it wasn't to 0104 either, but that turned out to be wrong.
> Both CANs are still reserved so I can't check.
This should help:
http://cvs.sf.net/viewcvs.py/squirrelmail/squirrelmail/src/webmail.php?r1=
=3D1.92.2.8&r2=3D1.92.2.6&only_with_tag=3DSM-1_4-STABLE
Use CAN-2005-0103 for cross site scripting
and CAN-2005-0104 for code injectian via unsanitised integer variable
Regards,
Joey
--=20
Still can't talk about what I can't talk about. Sorry. -- Bruce Schneier
diff -u squirrelmail-1.2.6/debian/changelog squirrelmail-1.2.6/debian/chang=
elog
--- squirrelmail-1.2.6/debian/changelog
+++ squirrelmail-1.2.6/debian/changelog
@@ -1,3 +1,16 @@
+squirrelmail (1:1.2.6-2) stable-security; urgency=3Dhigh
+
+ * Security upload
+ * [CAN-2005-0152] Close security hole where URL-manipulation in combinat=
ion
+ with register_globals and allow_url_fopen both set to On could lead to
+ remote code execution as the www-data user. (Closes: #292714).
+ This issue is specific to exactly version 1.2.6 of SquirrelMail (older
+ and newer versions not vulnerable). Thanks Grant Hollingworth for
+ discovering this bug and notifying us about it.
+ * [CAN-2005-0104] Fix possible XSS issues in src/webmail.php.
+
+ -- Thijs Kinkhorst <[EMAIL PROTECTED]> Sun, 30 Jan 2005 18:27:25 +01=
00
+
squirrelmail (1:1.2.6-1.4) stable-security; urgency=3Dhigh
=20
* Non-maintainer upload for security issues. Thanks to Thijs Kinkhorst f=
or
only in patch2:
--- squirrelmail-1.2.6.orig/src/webmail.php
+++ squirrelmail-1.2.6/src/webmail.php
@@ -85,14 +85,17 @@
=20
if ($right_frame =3D=3D 'right_main.php') {
$urlMailbox =3D urlencode($mailbox);
+ $urlSort =3D urlencode($sort);
+ $urlStartMessage =3D urlencode($startMessage);
+ =20
$right_frame_url =3D
- "right_main.php?mailbox=3D$urlMailbox&sort=3D$sort&startMe=
ssage=3D$startMessage";
+ "right_main.php?mailbox=3D$urlMailbox&sort=3D$urlSort&star=
tMessage=3D$urlStartMessage";
} elseif ($right_frame =3D=3D 'options.php') {
$right_frame_url =3D 'options.php';
} elseif ($right_frame =3D=3D 'folders.php') {
$right_frame_url =3D 'folders.php';
} elseif ($right_frame =3D=3D 'compose.php') {
- $right_frame_url =3D "compose.php?send_to=3D$rcptaddress";
+ $right_frame_url =3D "compose.php?send_to=3D" . urlencode($rcptaddress=
);
} else {
$right_frame_url =3D 'right_main.php';
}
----- End forwarded message -----
--=20
see shy jo
--yNb1oOkm5a9FJOVX
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCATwAd8HHehbQuO8RAoZBAJ9QEZYwHlb9VL/s6uOkXEcSKOIcVACeNLv0
iHt/LGOIY8mRseHPfYxq65c=
=Exmu
-----END PGP SIGNATURE-----
--yNb1oOkm5a9FJOVX--
---------------------------------------
Received: (at 293381-done) by bugs.debian.org; 3 Feb 2005 09:10:47 +0000
>From [EMAIL PROTECTED] Thu Feb 03 01:10:47 2005
Return-path: <[EMAIL PROTECTED]>
Received: from aphrodite.asd.jaze.nl (aphrodite.jaze.net) [82.94.246.244]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Cwd0h-00047E-00; Thu, 03 Feb 2005 01:10:47 -0800
Received: from localhost (aphrodite [127.0.0.1])
by aphrodite.jaze.net (Postfix) with ESMTP
id 7D8FC3C342; Thu, 3 Feb 2005 10:10:45 +0100 (CET)
Received: from aphrodite.jaze.net ([127.0.0.1])
by localhost (aphrodite [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 16759-31; Thu, 3 Feb 2005 10:10:44 +0100 (CET)
Received: from wm.kinkhorst.nl (aphrodite [127.0.0.1])
by aphrodite.jaze.net (Postfix) with ESMTP
id 9A8723C262; Thu, 3 Feb 2005 10:10:44 +0100 (CET)
Received: from 145.99.250.219
(SquirrelMail authenticated user tklists)
by wm.kinkhorst.nl with HTTP;
Thu, 3 Feb 2005 10:10:44 +0100 (CET)
Message-ID: <[EMAIL PROTECTED]>
In-Reply-To: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
Date: Thu, 3 Feb 2005 10:10:44 +0100 (CET)
Subject: Re: Bug#293381: vulnerable to another XSS hole (CAN-2005-0104)
From: "Thijs Kinkhorst" <[EMAIL PROTECTED]>
To: "Joey Hess" <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
User-Agent: SquirrelMail/1.5.1 [CVS]
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at aphrodite.jaze.net
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-4.8 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER,
PRIORITY_NO_NAME autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Hello,
> Seems that squirrelmail in unstable is still vulnerable to the
> cross-site scripting hole CAN-2005-0104.
This is untrue, SquirrelMail 1.4.4 has explicitly been fixed for
CAN-2005-0104 as can be seen in the ChangeLog and I've checked the patch
just now to be sure.
"Seems that" is very vague wording which doesn't help with strengthening
your position that it's vulnerable. I'm pretty convinced that this is just
a mistake and will close the bug - if you think otherwise please provide
*details* as to what should be wrong.
Thanks,
Thijs
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
