Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: [SquirrelMail-Security] XSS in Squirrelmail plugin 'Virtual Keyboard' <= 0.9.1
From: Paul Lesniewski <paul () squirrelmail org>
Date: Fri, 15 Oct 2010 21:31:15 -0700

On Fri, Oct 15, 2010 at 8:19 PM, Moritz Naumann
<security () moritz-naumann com> wrote:
Hi Paul,

On 16.10.2010 02:44 Paul Lesniewski wrote:
On Tue, Oct 5, 2010 at 9:28 AM, Moritz Naumann
<security () moritz-naumann com> wrote:
Squirrelmail plugin 'Virtual Keyboard' version 0.9.1 and lower is
vulnerable to cross site scripting (XSS).
As a member of the SquirrelMail development team, I am quite
displeased with this announcement.

thanks for openly sharing your opinion on this matter.

I guess I have to provide a complete timeline. 'Complete' here, means
from my perspective, since I initially reported the vulnerability and
thus have the responsibility of ensuring it get's published, in time, so
that users are able to patch their vulnerable systems. That's also why
the Full Disclosure Policy [1] requires a steady flow of communication
and information in both directions. Unfortunately, in this case, it was
somewhat one-sided.

May 05, 2010: Moritz reports vulnerability to Daniel and
security-2010 () squirrelmail

May 06, 2010: Daniel responds to Moritz and security-2010 () squirrelmail,
attaching a fixed version

May 07, 2010: Moritz responds to Daniel and security-2010 () squirrelmail,
asking for source code repository or other public storage location

May 07, 2010: Daniel responds to Moritz and security-2010 () squirrelmail,
reporting that his account on the squirrelmail.org plugin repository is
disabled and he's trying to get in touch with the Squirrelmail
developers on this

May 07, 2010: Moritz responds to Daniel, stating that (after having
reviewed the new version by Daniel) it should fix the previously
reported vulnerability.

May 10, 2010: Moritz responds to Daniel and security-2010 () squirrelmail,
trying to mediate between Daniel and the Squirrelmail developers, in the
interest of getting the security fix out as soon as possible, and
checking with Daniel whether it would be ok to distibute his update by
other means in case his access to the repository cannot be restored in a
timely fashion.

May 10, 2010: Daniel responds to Moritz, giving permission to publish
his work, stating he is awaiting a response by the Squirrelmail Team to
get his plugin repository account reactivated.

May 11, 2010: Paul of Squirrelmail responds to Moritz (for the first
time) and Daniel, stating that the plugin is not conformant with current
Squirrelmail standards, and that he (not the Squirrelmail team as a
whole) will work with Daniel to get the code to release quality, asking
Moritz for patience and  noting that he is "sure [Moritz] will be made
aware of a release".

May 29, 2010: Moritz contacts Daniel, Paul and
security-2010 () squirrelmail; not having heard from either Daniel or
anyone from Suqirrelmail for a while, he asks for an update.

May 31, 2010: Daniel responds to Moritz, stating that he is currently ill.

June 01, 2010: Moritz responds to Daniel stating that he will delay the
advisory for another week.

June 02, 2010: Daniel responds to Moritz, Paul and
security-2010 () squirrelmail, attaching an improved fixed version

June 07, 2010: Moritz responds to Daniel, Paul and
security-2010 () squirrelmail, suggesting that, "unless more changes need
to happen, the Squirrelmail team could probably review and publish"
Daniels new version in their plugin repository.

Oct 05, 2010: Not having heard again from Squirrelmail team or Paul or
Daniel on this matter, realizing that 5 months after the initial report
there is still no security fix available, Moritz publishes an advisory,
including Daniels' fix, in the interest of safeguarding the users of
this plugin (and, yes, for the credit, too).

While I think this timeline puts the handling of this vulnerability in a
different light than your email, I am not going into the details since I

I have reviewed the former communications, and must state that I was
mistaken in that your emails were in fact addressed to the
SquirrelMail team via our security address.  My apologies for that.

However, as I stated early on to you, "Daniel and I will be working to
get the code up to date and release it as soon as possible."  I did/do
not believe you needed to be part of discussions that did not regard
the issue you reported.  At the time you last asked if the plugin
could be published, I was already waiting for Daniel to respond
regarding the changes I asked him to make.  I could have replied to
you that as far as I knew, we were still waiting, but your overly
impatient emails were quite insensitive toward we overworked and
unpaid FOSS developers, to which, for sanity's sake, an appropriate
response is none at all.  It's too bad Daniel wasn't able to reply,
either, but perhaps he had the same reaction.

Petty details and timelines aside, the point that IS relevant for
public consumption is that, after you waited four months and decided
that you'd unilaterally publish your report, you didn't bother to
contact the plugin author nor the SquirrelMail team AT ALL.  This is
inexcusable, and, having worked with other over-anxious reporters in
the past, I believe this is something others out there should learn

am not interested in extending this discussion - it simply serves no
purpose. My primary interest was in making it possible to fix the
vulnerable installations out there, and this advisory was a result of
it. I would have preferred to see it better handled (and I'm not only
addressing this to you, Paul), but this is not always possible.

If you would like to discuss this further, you are welcome to do so, but
please consider whether it is possible to do this off-list
(I assume only few subscribers, if any, will not consider this
off-topic). I have nothing to hide in this respect, but I also don't
want to annoy people with a mostly - to the general audience of these
mailing lists - irrelevant discussion.

I'm sorry if a public lashing doesn't seem like the nicest way to
handle such matters, and I do hope it does not cause resentment or any
other regretful emotion, but I think discussion of a proper and
considerate reporting process (which I sincerely believe should be
different when dealing with FOSS software, since many of us aren't
paid to do it full time) is quite relevant.

Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]