Your message dated Sat, 11 Nov 2006 12:36:57 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Bug#307575: cross-site scripting attack via redirect parameter
(CAN-2005-1308)
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: sqwebmail
Version: 0.47-4
Severity: important
Tags: security
sqwebmail is vulnerable to a cross-site scripting attack:
Input passed to the "redirect" parameter is not properly sanitised. This can
be exploited to inject malicious characters into HTTP headers and may allow
execution of arbitrary HTML and script code in a user's browser session in
context of an affected site.
Details here: http://secunia.com/advisories/15119
This is supposed to be a working proof of concept, but I've not actually
tested it:
sqwebmail?redirect=%0d%0a%0d%0a[INJECT SCRIPT]
--
see shy jo
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Florian Weimer wrote:
> * Stefan Hornburg:
>
> > The upstream author commented that advisory as follows:
> >
> > I certainly never heard of it, and the description (or the lack of it)
> > leaves me somewhat skeptical. The redirect URL is generated by:
> > output_attrencoded(cgi("redirect")), which encodes all metacharacters.
> >
> > Move along, nothing here to see.
>
> I'm not sure if this correct. From the Debian package, in
> webmail/sqwebmail.c:
Upon further discussion Florian confirmed that the URL is protected
by an HMAC. This bug can be closed.
Cheers,
Moritz
--- End Message ---
