mailing list archives
Re: [SquirrelMail-Security] XSS in Squirrelmail plugin 'Virtual Keyboard' <= 0.9.1
From: Paul Lesniewski <paul () squirrelmail org>
Date: Fri, 15 Oct 2010 17:44:39 -0700
On Tue, Oct 5, 2010 at 9:28 AM, Moritz Naumann
<security () moritz-naumann com> wrote:
Squirrelmail plugin 'Virtual Keyboard' version 0.9.1 and lower is
vulnerable to cross site scripting (XSS).
The vkeyboard.php script fails to sanitize the value of HTTP GET
parameter 'passformname' which the script stores in a variable of the
same name and outputs (unmodified) into a HTML document later. As such,
it is possible to inject client-evaluated HTML and script code into the
output generated by the application.
For proof of concept, accessing the following location ([Base_URL]
refers to a Squirrelmail installation with a vulnerable version of the
windows reading 'XSS' popping up:
'Virtual Keyboard' installations can be found using this 'Google dork':
This vulnerability was originally reported in early May 2010.
A suitable update fixing this issue, Virtual Keyboard v0.9.2 for
Squrrelmail 1.4.x, has been provided to the Squirrelmail developers and
me by Daniel Kobayashi Imori of Bastion Systems (the original developer
of this plugin) in early June 2010 and is attached to this email -
thanks Daniel. The Squirrelmail team has not yet made it to update this
plugin in their repository:
As a member of the SquirrelMail development team, I am quite
displeased with this announcement. The reporter did not check in with
us before it was made. The truth of the matter, of which the reporter
seems ignorant and apparently didn't bother to verify is as follows:
The version with a fix was in fact sent to me personally, but not, as
the reporter claims, to all the "SquirrelMail developers."
That version was not up to spec in several regards, and so I
encouraged the plugin's author to work on a more up-to-date version.
The author responded with interest, but after another correspondence
regarding the quality of the plugin's code, the author failed to
As far as I was concerned, the issue was waiting for the author to
respond to me and/or the issue reporter with an updated status of the
plugin. Early on, the reporter (Moritz Naumann) sent more than one
email prodding for the chance to publish the vulnerability, which to
me sounded quite impatient and thus, as far as I could tell, eager to
take credit for the discovery rather than help resolve the situation.
After the author fell silent, Moritz also fell silent and gave no
indication that he planned to make this announcement.
While we are greatly interested in providing only secure plugins to
our community, the SquirrelMail developers do not take ultimate
responsibility for any third party plugins and moreover take VERY
UNKINDLY to this kind of impatient, uncommunicative and irresponsible
So this is the first public release I am aware of.
Great, so you've made a big name for yourself now.
Please support Open Source Software by donating to SquirrelMail!
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/