[prev in list] [next in list] [prev in thread] [next in thread]
List: squirrelmail-cvs
Subject: [SM-CVS] SF.net SVN: squirrelmail:[14119]
From: pdontthink () users ! sourceforge ! net
Date: 2011-07-12 4:36:01
Message-ID: E1QgUhV-0007Rl-Hy () sfp-svn-6 ! v30 ! ch3 ! sourceforge ! com
[Download RAW message or body]
Revision: 14119
http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=14119&view=rev
Author: pdontthink
Date: 2011-07-12 04:36:01 +0000 (Tue, 12 Jul 2011)
Log Message:
-----------
Fix XSS holes in generic options inputs, XSS hole in the SquirrelSpell plugin, XSS \
hole in the Index Order page, and added anti-CSRF protection to the empty trash \
feature and the Index Order page (thanks to Nicholas Carlini for finding all these \
issues) [CVE-2010-4555]
Modified Paths:
--------------
branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog
branches/SM-1_4-STABLE/squirrelmail/functions/options.php
branches/SM-1_4-STABLE/squirrelmail/plugins/squirrelspell/modules/check_me.mod
branches/SM-1_4-STABLE/squirrelmail/src/empty_trash.php
branches/SM-1_4-STABLE/squirrelmail/src/left_main.php
branches/SM-1_4-STABLE/squirrelmail/src/options_order.php
Modified: branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog
===================================================================
--- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2011-07-12 03:44:23 UTC (rev \
14118)
+++ branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2011-07-12 04:36:01 UTC (rev \
14119) @@ -58,6 +58,10 @@
putting the number of new messages in the browser title
- Added clickjacking protection (thanks to Asbjorn Thorsen and Geir
Hansen for bringing this to our attention). [CVE-2010-4554]
+ - Fixed XSS holes in generic options inputs, XSS hole in the SquirrelSpell
+ plugin, XSS hole in the Index Order page, and added anti-CSRF protection
+ to the empty trash feature and the Index Order page (thanks to Nicholas
+ Carlini for finding all these issues). [CVE-2010-4555]
Version 1.4.21 - 23 Jul 2010
----------------------------
Modified: branches/SM-1_4-STABLE/squirrelmail/functions/options.php
===================================================================
--- branches/SM-1_4-STABLE/squirrelmail/functions/options.php 2011-07-12 03:44:23 UTC \
(rev 14118)
+++ branches/SM-1_4-STABLE/squirrelmail/functions/options.php 2011-07-12 04:36:01 UTC \
(rev 14119) @@ -852,6 +852,21 @@
return;
}
+ // if the widget is a selection list, make sure the new
+ // value is actually in the selection list and is not an
+ // injection attack
+ //
+ if ($option->type == SMOPT_TYPE_STRLIST
+ && !array_key_exists($option->new_value, $option->possible_values))
+ return;
+
+
+ // all other widgets except TEXTAREAs should never be allowed to have newlines
+ //
+ else if ($option->type != SMOPT_TYPE_TEXTAREA)
+ $option->new_value = str_replace(array("\r", "\n"), '', $option->new_value);
+
+
global $data_dir;
// edit lists: first add new elements to list, then
Modified: branches/SM-1_4-STABLE/squirrelmail/plugins/squirrelspell/modules/check_me.mod
===================================================================
--- branches/SM-1_4-STABLE/squirrelmail/plugins/squirrelspell/modules/check_me.mod 2011-07-12 \
03:44:23 UTC (rev 14118)
+++ branches/SM-1_4-STABLE/squirrelmail/plugins/squirrelspell/modules/check_me.mod 2011-07-12 \
04:36:01 UTC (rev 14119) @@ -267,7 +267,7 @@
for ($i=0; $i<sizeof($sqspell_lines); $i++){
// use addcslashes for compatibility with magic_quotes_sybase
$extrajs.= "sqspell_lines[$i] = \""
- . chop(addcslashes($sqspell_lines[$i], "'\"\\\x0")) . "\";\n";
+ . chop(addcslashes($sqspell_lines[$i], ">'\"\\\x0")) . "\";\n";
}
$extrajs.= "\n\n";
Modified: branches/SM-1_4-STABLE/squirrelmail/src/empty_trash.php
===================================================================
--- branches/SM-1_4-STABLE/squirrelmail/src/empty_trash.php 2011-07-12 03:44:23 UTC \
(rev 14118)
+++ branches/SM-1_4-STABLE/squirrelmail/src/empty_trash.php 2011-07-12 04:36:01 UTC \
(rev 14119) @@ -36,6 +36,11 @@
/* finished globals */
+// first do a security check
+if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_FORM))
+ $submitted_token = '';
+sm_validate_security_token($submitted_token, 3600, TRUE);
+
$imap_stream = sqimap_login($username, $key, $imapServerAddress, $imapPort, 0);
sqimap_mailbox_list($imap_stream);
@@ -51,6 +56,7 @@
/** First create the top node in the tree **/
$numboxes = count($boxes);
+$foldersTree = array();
for ($i = 0; $i < $numboxes; $i++) {
if (($boxes[$i]['unformatted'] == $mailbox) && \
(strlen($boxes[$i]['unformatted']) == strlen($mailbox))) { $foldersTree[0]['value'] \
= $mailbox;
Modified: branches/SM-1_4-STABLE/squirrelmail/src/left_main.php
===================================================================
--- branches/SM-1_4-STABLE/squirrelmail/src/left_main.php 2011-07-12 03:44:23 UTC \
(rev 14118)
+++ branches/SM-1_4-STABLE/squirrelmail/src/left_main.php 2011-07-12 04:36:01 UTC \
(rev 14119) @@ -103,7 +103,7 @@
if (($numMessages > 0) or ($box_array['parent'] == 1)) {
$urlMailbox = urlencode($real_box);
$line .= "\n<small>\n" .
- ' (<a href="empty_trash.php" \
style="text-decoration:none">'._("Purge").'</a>)' . + \
' (<a href="empty_trash.php?smtoken=' . sm_generate_security_token() . '" \
style="text-decoration:none">'._("Purge").'</a>)' . '</small>';
}
}
Modified: branches/SM-1_4-STABLE/squirrelmail/src/options_order.php
===================================================================
--- branches/SM-1_4-STABLE/squirrelmail/src/options_order.php 2011-07-12 03:44:23 UTC \
(rev 14118)
+++ branches/SM-1_4-STABLE/squirrelmail/src/options_order.php 2011-07-12 04:36:01 UTC \
(rev 14119) @@ -31,12 +31,16 @@
require_once(SM_PATH . 'functions/forms.php');
/* get globals */
-sqgetGlobalVar('num', $num, SQ_GET);
+if (sqgetGlobalVar('num', $num, SQ_GET))
+ $num = (int)$num;
+else
+ $num = 0;
+
sqgetGlobalVar('add', $add, SQ_POST);
sqgetGlobalVar('submit', $submit);
sqgetGlobalVar('method', $method);
-if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) {
+if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_FORM)) {
$submitted_token = '';
}
/* end of get globals */
@@ -61,17 +65,21 @@
if (! isset($method)) { $method = ''; }
- if ($method == 'up' && $num > 1) {
+ if ($method == 'up' && $num > 0 && $num > 1) {
$prev = $num-1;
$tmp = $index_order[$prev];
$index_order[$prev] = $index_order[$num];
$index_order[$num] = $tmp;
- } else if ($method == 'down' && $num < count($index_order)) {
+ } else if ($method == 'down' && $num > 0 && $num < count($index_order)) {
$next = $num++;
$tmp = $index_order[$next];
$index_order[$next] = $index_order[$num];
$index_order[$num] = $tmp;
- } else if ($method == 'remove' && $num) {
+ } else if ($method == 'remove' && $num > 0) {
+
+ // first do a security check
+ sm_validate_security_token($submitted_token, 3600, TRUE);
+
for ($i=1; $i < 8; $i++) {
removePref($data_dir, $username, "order$i");
}
@@ -124,7 +132,7 @@
echo html_tag( 'td' );
/* Always show the subject */
if ($tmp != 4)
- echo '<small><a href="options_order.php?method=remove&num=' . $i \
. '">' . _("remove") . '</a></small>'; + echo '<small><a \
href="options_order.php?method=remove&num=' . $i . '&smtoken=' . \
sm_generate_security_token() . '">' . _("remove") . '</a></small>'; else
echo ' ';
echo '</td>';
This was sent by the SourceForge.net collaborative development platform, the world's \
largest Open Source development site.
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
-----
squirrelmail-cvs mailing list
List address: squirrelmail-cvs@lists.sourceforge.net
List info (subscribe/unsubscribe/change options): \
https://lists.sourceforge.net/lists/listinfo/squirrelmail-cvs
Repository: http://squirrelmail.org/svn
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic